GoExec: Next-Gen Remote Execution Tool Boosts OPSEC for Windows Attacks

GoExec is a new take on some of the methods used to gain remote execution on Windows devices. GoExec implements a number of largely unrealized execution methods and provides significant OPSEC improvements overall.

Goexec supports four primary methods for gaining remote execution on Windows devices, all of which involve the use of Remote Procedure Call(s) (RPC) communicating with the following services:

• Service Control Manager (MS-SCMR)
• Task Scheduler (MS-TSCH)
• Distributed Component Object Model (MS-DCOM)
• Windows Management Instrumentation (MS-WMI)

Service Control Manager (MS-SCMR)

One of the more common protocols used for remote execution on Windows is Service Control Manager Remote (SCMR). Put simply, Service Control Manager Remote enables remote control and configuration of Windows services using RPC. Utilization of this protocol to spawn processes is implemented by many tools in the offensive security space including Impacket’s psexec.py and smbexec.py scripts, and Cobalt Strike’s jump psexec command. This method is also used in legitimate system administration tools like PsExec.

Remote Execution with SCMR

Remote execution can be achieved in a couple of different ways using SCMR, but most implementations will make calls to RCreateServiceW and RStartServiceW to create a service that will spawn a process using the provided lpBinaryPathName.

SCMR Module

The SCMR module works a lot like smbexec.py, but it provides additional RPC transports, and uses MSRPC by default instead of SMB named pipes.

scmr change

The scmr change command allows operators to execute programs by modifying existing Windows services using the RChangeServiceConfigW method rather than calling RCreateServiceW. This may lower the chance of detection in some environments as many of the more popular offensive tools (such as smbexec.py and psexec.py) do not have this capability.

scmr create

The scmr create command will use SCMR to create a new service, start the service, then delete it. This is a similar operation to the one implemented in smbexec.py.

Protocol References

• RChangeServiceConfigW
• RCreateServiceW
• RStartServiceW
• ROpenSCManagerW

Task Scheduler (MS-TSCH)

The Task Scheduler service is used to create and manage scheduled tasks running on a remote Windows device. This service is primarily used by the graphical Windows “Task Scheduler” application and schtasks.exe. The Task Scheduler service can often be abused by attackers with administrative access to execute programs on the remote machine.

Remote Execution with Task Scheduler

Remote execution via Task Scheduler may involve the creation of new scheduled tasks or manipulation of existing tasks, typically using the Exec action to spawn a process when the task starts.

Task Scheduler Module

Goexec’s tsch module expands on common implementations such as atexec-pro and Impacket’s atexec.py script by providing additional flexibility and capabilities.

• Modify existing scheduled tasks In addition to scheduled task creation, Goexec can change existing task definitions to achieve program execution using the tsch change command. This includes the ability to restore tasks to their original definition shortly after program execution.

• Evade signature detection Many of the existing tools will provide very obvious signatures of malicious activity during task creation (see atexec.py, atexec-pro). Goexec avoids this by constructing an extremely flexible task definition with many dynamic values.

• Avoid certain remote calls Goexec can entirely avoid making certain RPC calls that may be considered unusual or malicious such as SchRpcRun and SchRpcDelete, which are unconditionally used by atexec.py and atexec-pro. Goexec makes use of the TimeTrigger element and the DeleteExpiredTaskAfter setting to start and delete the task automatically.

tsch create

The create method calls SchRpcRegisterTask to register a scheduled task with an automatic start time. This method avoids directly calling SchRpcRun, and can even avoid calling SchRpcDelete by populating the DeleteExpiredTaskAfter setting.

tsch change

The tsch change command calls SchRpcRetrieveTask to fetch the definition of an existing task, then modifies the task definition to spawn a process at the operator’s will. By default, this method will restore the task definition to its original value after execution is completed.

tsch demand

The tsch demand command will call SchRpcRegisterTask, but rather than setting a defined time when the task will start like tsch change, it will additionally call SchRpcRun to forcefully start the task.