Bug fixes, +`dcom shellwindows` +`dcom shellbrowserwindow` (#17)HEAD main

* Negotiate (not force) highest SMB dialect * Fixed some issues with SMB client * `dcom`: new method: `shellwindows` * Update gitignore * TODO: new feature ideas, check ShellWindows * `dcom`: new method: `shellbrowserwindow` * update README.md with DCOM ShellWindows & ShellBrowserWindow modules. * Tweaks to shellbrowserwindow.go * Bumped adauth to v0.3.0 + other deps
author: Bryan McNulty <bryan@falconops.com> 2025-05-06 17:14:13 -0500
committer: GitHub <noreply@github.com> 2025-05-06 17:14:13 -0500
commit: 19af8d591a224cb104996a50935a8f4b1643a3a1 (patch)
tree: efadc3b5c58820e686b74f49dd01bd9993baf3af
parent: 10eee0ed28ecf5f22967a935e3596000e75cd63e (diff)
download: goexec-main.tar.gz
goexec-main.zip
13 files changed, 552 insertions, 212 deletions
diff --git a/.gitignore b/.gitignore
index 101ea9a..d3eb569 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 .local
 /dist
 /goexec
+/goexec.*
 /patch
 /go.work
 /go.work.sum
@@ -14,3 +15,5 @@
 *.prof
 *.cprof
 *.mprof
+/tests
+*._go
diff --git a/README.md b/README.md
index 6bc4fc7..bd65392 100644
--- a/README.md
+++ b/README.md
@@ -196,10 +196,18 @@ WMI:
 
 The `dcom` module uses exposed Distributed Component Object Model (DCOM) objects to spawn processes.
 
+> [!WARNING]
+> The DCOM module is generally less reliable than other modules because the underlying methods are often reliant on the target Windows version and specific Windows settings.
+
 ```text
 Usage:
   goexec dcom [command] [flags]
 
+Available Commands:
+  mmc                Execute with the MMC20.Application DCOM object
+  shellwindows       Execute with the ShellWindows DCOM object
+  shellbrowserwindow Execute with the ShellBrowserWindow DCOM object
+
 ... [inherited flags] ...
 
 Network:
@@ -248,6 +256,84 @@ Execution:
   -o ./privs.bin # Save output to ./privs.bin
 ```
 
+#### `ShellWindows` Method (`dcom shellwindows`)
+
+The `shellwindows` method uses the [ShellWindows](https://learn.microsoft.com/en-us/windows/win32/shell/shellwindows) DCOM object to call `Item().Document.Application.ShellExecute` and spawn a remote process. This execution method isn't nearly as stable as the `dcom mmc` method for a few reasons:
+
+- This method may not work on the latest Windows versions
+- It may require that there is an active desktop session on the target machine.
+- Successful execution may be on behalf of the desktop user, not necessarily an administrator.
+
+```text
+Usage:
+  goexec dcom shellwindows [target] [flags]
+
+Execution:
+  -e, --exec string           Remote Windows executable to invoke
+  -a, --args string           Process command line arguments
+  -c, --command string        Windows process command line (executable & arguments)
+  -o, --out string            Fetch execution output to file or "-" for standard output
+  -m, --out-method string     Method to fetch execution output (default "smb")
+      --no-delete-out         Preserve output file on remote filesystem
+      --directory directory   Working directory (default "C:\\")
+      --app-window ID         Application window state ID (default "0")
+... [inherited flags] ...
+```
+
+The app window argument (`--app-window`) must be one of the values described [here (`vShow` parameter)](https://learn.microsoft.com/en-us/windows/win32/shell/shell-shellexecute).
+
+##### Examples
+
+```shell
+# Authenticate with local admin NT hash, execute `netstat.exe -anop tcp` w/ output
+./goexec dcom shellwindows "$target" \
+  -u "$auth_user" \
+  -H "$auth_nt" \
+  -e 'netstat.exe' \
+  -a '-anop tcp' \
+  -o- # write to standard output
+
+# Authenticate with local admin password, open maximized notepad window on desktop
+./goexec dcom shellwindows "$target" \
+  -u "$auth_user" \
+  -p "$auth_pass" \
+  -e 'notepad.exe' \
+  --directory 'C:\Windows' \
+  --app-window 3 # Maximized
+```
+
+#### `ShellBrowserWindow` Method (`dcom shellbrowserwindow`)
+
+The `shellbrowserwindow` method uses the exposed [ShellBrowserWindow](https://strontic.github.io/xcyclopedia/library/clsid_c08afd90-f2a1-11d1-8455-00a0c91f3880.html) DCOM object to call `Document.Application.ShellExecute` and spawn the provided process. The potential constraints of this method are similar to the [ShellWindows method](#shellwindows-method-dcom-shellwindows).
+
+```text
+Usage:
+  goexec dcom shellbrowserwindow [target] [flags]
+
+Execution:
+  -e, --exec string           Remote Windows executable to invoke
+  -a, --args string           Process command line arguments
+  -c, --command string        Windows process command line (executable & arguments)
+  -o, --out string            Fetch execution output to file or "-" for standard output
+  -m, --out-method string     Method to fetch execution output (default "smb")
+      --no-delete-out         Preserve output file on remote filesystem
+      --directory directory   Working directory (default "C:\\")
+      --app-window ID         Application window state ID (default "0")
+
+... [inherited flags] ...
+```
+
+##### Examples
+
+```shell
+# Authenticate with NT hash, open explorer.exe maximized
+./goexec dcom shellbrowserwindow "$target" \
+  -u "$auth_user@$domain" \
+  -H "$auth_nt" \
+  -e 'explorer.exe' \
+  --app-window 3
+```
+
 ### Task Scheduler Module (`tsch`)
 
 The `tsch` module makes use of the Windows Task Scheduler service ([MS-TSCH](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/)) to spawn processes on the remote target.
diff --git a/TODO.md b/TODO.md
index 9c708f3..d0e32d4 100644
--- a/TODO.md
+++ b/TODO.md
@@ -9,8 +9,12 @@ We wanted to make development of this project as transparent as possible, so we'
 - [X] Generate random name/path
 - [X] Output
 - [X] Add `tsch change`
-- [ ] Serialize XML with default indent level
-- [ ] Add --session to `tsch change`
+- [ ] Serialize XML with default indent level?
+
+### `tsch change`
+
+- [ ] Add `--session` (like `tsch demand`)
+- [ ] Add the option to avoid direct task start using TimeTrigger (similar to `tsch create`)
 
 ## SCMR
 
@@ -66,7 +70,8 @@ We wanted to make development of this project as transparent as possible, so we'
 
 ### DCOM
 
-- [ ] ShellWindows & ShellBrowserWindow
+- [X] ShellWindows 
+- [ ] ShellBrowserWindow
 
 ### WinRM
 
diff --git a/cmd/args.go b/cmd/args.go
index 40b9701..f33cc5b 100644
--- a/cmd/args.go
+++ b/cmd/args.go
@@ -1,32 +1,33 @@
 package cmd
 
 import (
-  "context"
-  "errors"
-  "fmt"
-  "github.com/spf13/cobra"
-  "github.com/spf13/pflag"
-  "os"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"os"
 )
 
 func registerLoggingFlags(fs *pflag.FlagSet) {
-  fs.SortFlags = false
-  fs.BoolVarP(&logDebug, "debug", "D", false, "Enable debug logging")
-  fs.StringVarP(&logOutput, "log-file", "O", "", "Write JSON logging output to `file`")
-  fs.BoolVarP(&logJson, "json", "j", false, "Write logging output in JSON lines")
-  fs.BoolVarP(&logQuiet, "quiet", "q", false, "Disable info logging")
+	fs.SortFlags = false
+	fs.BoolVarP(&logDebug, "debug", "D", false, "Enable debug logging")
+	fs.StringVarP(&logOutput, "log-file", "O", "", "Write JSON logging output to `file`")
+	fs.BoolVarP(&logJson, "json", "j", false, "Write logging output in JSON lines")
+	fs.BoolVarP(&logQuiet, "quiet", "q", false, "Disable info logging")
 }
 
 func registerNetworkFlags(fs *pflag.FlagSet) {
-  fs.StringVarP(&proxy, "proxy", "x", "", "Proxy `URI`")
-  fs.StringVarP(&rpcClient.Filter, "epm-filter", "F", "", "String binding to filter endpoints returned by the RPC endpoint mapper (EPM)")
-  fs.StringVar(&rpcClient.Endpoint, "endpoint", "", "Explicit RPC endpoint definition")
-  fs.BoolVar(&rpcClient.NoEpm, "no-epm", false, "Do not use EPM to automatically detect RPC endpoints")
-  fs.BoolVar(&rpcClient.NoSign, "no-sign", false, "Disable signing on DCERPC messages")
-  fs.BoolVar(&rpcClient.NoSeal, "no-seal", false, "Disable packet stub encryption on DCERPC messages")
-
-  //cmd.MarkFlagsMutuallyExclusive("endpoint", "epm-filter")
-  //cmd.MarkFlagsMutuallyExclusive("no-epm", "epm-filter")
+	fs.StringVarP(&proxy, "proxy", "x", "", "Proxy `URI`")
+	fs.StringVarP(&rpcClient.Filter, "epm-filter", "F", "", "String binding to filter endpoints returned by the RPC endpoint mapper (EPM)")
+	fs.StringVar(&rpcClient.Endpoint, "endpoint", "", "Explicit RPC endpoint definition")
+	fs.BoolVar(&rpcClient.NoEpm, "no-epm", false, "Do not use EPM to automatically detect RPC endpoints")
+	fs.BoolVar(&rpcClient.NoSign, "no-sign", false, "Disable signing on DCERPC messages")
+	fs.BoolVar(&rpcClient.NoSeal, "no-seal", false, "Disable packet stub encryption on DCERPC messages")
+
+	//cmd.MarkFlagsMutuallyExclusive("endpoint", "epm-filter")
+	//cmd.MarkFlagsMutuallyExclusive("no-epm", "epm-filter")
 }
 
 // FUTURE: automatically stage & execute file
@@ -38,105 +39,120 @@ func registerStageFlags(fs *pflag.FlagSet) {
 */
 
 func registerExecutionFlags(fs *pflag.FlagSet) {
-  fs.StringVarP(&exec.Input.Executable, "exec", "e", "", "Remote Windows executable to invoke")
-  fs.StringVarP(&exec.Input.Arguments, "args", "a", "", "Process command line arguments")
-  fs.StringVarP(&exec.Input.Command, "command", "c", "", "Windows process command line (executable & arguments)")
+	fs.StringVarP(&exec.Input.Executable, "exec", "e", "", "Remote Windows executable to invoke")
+	fs.StringVarP(&exec.Input.Arguments, "args", "a", "", "Process command line arguments")
+	fs.StringVarP(&exec.Input.Command, "command", "c", "", "Windows process command line (executable & arguments)")
 
-  //cmd.MarkFlagsOneRequired("executable", "command")
-  //cmd.MarkFlagsMutuallyExclusive("executable", "command")
+	//cmd.MarkFlagsOneRequired("executable", "command")
+	//cmd.MarkFlagsMutuallyExclusive("executable", "command")
 }
 
 func registerExecutionOutputFlags(fs *pflag.FlagSet) {
-  fs.StringVarP(&outputPath, "out", "o", "", `Fetch execution output to file or "-" for standard output`)
-  fs.StringVarP(&outputMethod, "out-method", "m", "smb", "Method to fetch execution output")
-  //fs.StringVar(&exec.Output.RemotePath, "out-remote", "", "Location to temporarily store output on remote filesystem")
-  fs.BoolVar(&exec.Output.NoDelete, "no-delete-out", false, "Preserve output file on remote filesystem")
+	fs.StringVarP(&outputPath, "out", "o", "", `Fetch execution output to file or "-" for standard output`)
+	fs.StringVarP(&outputMethod, "out-method", "m", "smb", "Method to fetch execution output")
+	//fs.StringVar(&exec.Output.RemotePath, "out-remote", "", "Location to temporarily store output on remote filesystem")
+	fs.BoolVar(&exec.Output.NoDelete, "no-delete-out", false, "Preserve output file on remote filesystem")
 }
 
 func args(reqs ...func(*cobra.Command, []string) error) (fn func(*cobra.Command, []string) error) {
-  return func(cmd *cobra.Command, args []string) (err error) {
-
-    for _, req := range reqs {
-      if err = req(cmd, args); err != nil {
-        return
-      }
-    }
-    return
-  }
+	return func(cmd *cobra.Command, args []string) (err error) {
+
+		for _, req := range reqs {
+			if err = req(cmd, args); err != nil {
+				return
+			}
+		}
+		return
+	}
+}
+
+func argsAcceptValues(name string, in *string, valid ...string) func(*cobra.Command, []string) error {
+	return func(*cobra.Command, []string) error {
+		for _, v := range valid {
+			if *in == v {
+				return nil
+			}
+		}
+		if j, err := json.Marshal(valid); err == nil {
+			return fmt.Errorf("parse %s: %q doesn't match any accepted values: %s", name, *in, string(j))
+		} else {
+			return err
+		}
+	}
 }
 
 func argsTarget(proto string) func(cmd *cobra.Command, args []string) error {
 
-  return func(cmd *cobra.Command, args []string) (err error) {
+	return func(cmd *cobra.Command, args []string) (err error) {
 
-    if len(args) != 1 {
-      return errors.New("command require exactly one positional argument: [target]")
-    }
+		if len(args) != 1 {
+			return errors.New("command require exactly one positional argument: [target]")
+		}
 
-    if credential, target, err = adAuthOpts.WithTarget(context.TODO(), proto, args[0]); err != nil {
-      return fmt.Errorf("failed to parse target: %w", err)
-    }
+		if credential, target, err = adAuthOpts.WithTarget(context.TODO(), proto, args[0]); err != nil {
+			return fmt.Errorf("failed to parse target: %w", err)
+		}
 
-    if credential == nil {
-      return errors.New("no credentials supplied")
-    }
-    if target == nil {
-      return errors.New("no target supplied")
-    }
-    return
-  }
+		if credential == nil {
+			return errors.New("no credentials supplied")
+		}
+		if target == nil {
+			return errors.New("no target supplied")
+		}
+		return
+	}
 }
 
 func argsSmbClient() func(cmd *cobra.Command, args []string) error {
-  return args(
-    argsTarget("cifs"),
+	return args(
+		argsTarget("cifs"),
 
-    func(_ *cobra.Command, _ []string) error {
+		func(_ *cobra.Command, _ []string) error {
 
-      smbClient.Credential = credential
-      smbClient.Target = target
-      smbClient.Proxy = proxy
+			smbClient.Credential = credential
+			smbClient.Target = target
+			smbClient.Proxy = proxy
 
-      return smbClient.Parse(context.TODO())
-    },
-  )
+			return smbClient.Parse(context.TODO())
+		},
+	)
 }
 
 func argsRpcClient(proto string) func(cmd *cobra.Command, args []string) error {
-  return args(
-    argsTarget(proto),
+	return args(
+		argsTarget(proto),
 
-    func(cmd *cobra.Command, args []string) (err error) {
+		func(cmd *cobra.Command, args []string) (err error) {
 
-      rpcClient.Target = target
-      rpcClient.Credential = credential
-      rpcClient.Proxy = proxy
+			rpcClient.Target = target
+			rpcClient.Credential = credential
+			rpcClient.Proxy = proxy
 
-      return rpcClient.Parse(context.TODO())
-    },
-  )
+			return rpcClient.Parse(context.TODO())
+		},
+	)
 }
 
 func argsOutput(methods ...string) func(cmd *cobra.Command, args []string) error {
 
-  var as []func(*cobra.Command, []string) error
+	var as []func(*cobra.Command, []string) error
 
-  for _, method := range methods {
-    if method == "smb" {
-      as = append(as, argsSmbClient())
-    }
-  }
+	for _, method := range methods {
+		if method == "smb" {
+			as = append(as, argsSmbClient())
+		}
+	}
 
-  return args(append(as, func(*cobra.Command, []string) (err error) {
+	return args(append(as, func(*cobra.Command, []string) (err error) {
 
-    if outputPath != "" {
-      if outputPath == "-" {
-        exec.Output.Writer = os.Stdout
+		if outputPath != "" {
+			if outputPath == "-" {
+				exec.Output.Writer = os.Stdout
 
-      } else if exec.Output.Writer, err = os.OpenFile(outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644); err != nil {
-        log.Fatal().Err(err).Msg("Failed to open output file")
-      }
-    }
-    return
-  })...)
+			} else if exec.Output.Writer, err = os.OpenFile(outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644); err != nil {
+				log.Fatal().Err(err).Msg("Failed to open output file")
+			}
+		}
+		return
+	})...)
 }
diff --git a/cmd/dcom.go b/cmd/dcom.go
index 1a8d031..30c32bc 100644
--- a/cmd/dcom.go
+++ b/cmd/dcom.go
@@ -1,80 +1,184 @@
 package cmd
 
 import (
-  "context"
-  "github.com/FalconOpsLLC/goexec/pkg/goexec"
-  dcomexec "github.com/FalconOpsLLC/goexec/pkg/goexec/dcom"
-  "github.com/oiweiwei/go-msrpc/ssp/gssapi"
-  "github.com/spf13/cobra"
+	"context"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	dcomexec "github.com/FalconOpsLLC/goexec/pkg/goexec/dcom"
+	"github.com/oiweiwei/go-msrpc/ssp/gssapi"
+	"github.com/spf13/cobra"
 )
 
 func dcomCmdInit() {
-  cmdFlags[dcomCmd] = []*flagSet{
-    defaultAuthFlags,
-    defaultLogFlags,
-    defaultNetRpcFlags,
-  }
-  dcomMmcCmdInit()
-
-  dcomCmd.PersistentFlags().AddFlagSet(defaultAuthFlags.Flags)
-  dcomCmd.PersistentFlags().AddFlagSet(defaultLogFlags.Flags)
-  dcomCmd.PersistentFlags().AddFlagSet(defaultNetRpcFlags.Flags)
-  dcomCmd.AddCommand(dcomMmcCmd)
+	cmdFlags[dcomCmd] = []*flagSet{
+		defaultAuthFlags,
+		defaultLogFlags,
+		defaultNetRpcFlags,
+	}
+	dcomMmcCmdInit()
+	dcomShellWindowsCmdInit()
+	dcomShellBrowserWindowCmdInit()
+
+	dcomCmd.PersistentFlags().AddFlagSet(defaultAuthFlags.Flags)
+	dcomCmd.PersistentFlags().AddFlagSet(defaultLogFlags.Flags)
+	dcomCmd.PersistentFlags().AddFlagSet(defaultNetRpcFlags.Flags)
+	dcomCmd.AddCommand(dcomMmcCmd, dcomShellWindowsCmd, dcomShellBrowserWindowCmd)
 }
 
 func dcomMmcCmdInit() {
-  dcomMmcExecFlags := newFlagSet("Execution")
+	dcomMmcExecFlags := newFlagSet("Execution")
+
+	registerExecutionFlags(dcomMmcExecFlags.Flags)
+	registerExecutionOutputFlags(dcomMmcExecFlags.Flags)
+
+	dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WorkingDirectory, "directory", `C:\`, "Working `directory`")
+	dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WindowState, "window", "Minimized", "Window state")
+
+	cmdFlags[dcomMmcCmd] = []*flagSet{
+		dcomMmcExecFlags,
+		defaultAuthFlags,
+		defaultLogFlags,
+		defaultNetRpcFlags,
+	}
+	dcomMmcCmd.Flags().AddFlagSet(dcomMmcExecFlags.Flags)
+
+	// Constraints
+	dcomMmcCmd.MarkFlagsOneRequired("command", "exec")
+}
+
+func dcomShellWindowsCmdInit() {
+	dcomShellWindowsExecFlags := newFlagSet("Execution")
+
+	registerExecutionFlags(dcomShellWindowsExecFlags.Flags)
+	registerExecutionOutputFlags(dcomShellWindowsExecFlags.Flags)
+
+	dcomShellWindowsExecFlags.Flags.StringVar(&dcomShellWindows.WorkingDirectory, "directory", `C:\`, "Working `directory`")
+	dcomShellWindowsExecFlags.Flags.StringVar(&dcomShellWindows.WindowState, "app-window", "0", "Application window state `ID`")
+
+	cmdFlags[dcomShellWindowsCmd] = []*flagSet{
+		dcomShellWindowsExecFlags,
+		defaultAuthFlags,
+		defaultLogFlags,
+		defaultNetRpcFlags,
+	}
+	dcomShellWindowsCmd.Flags().AddFlagSet(dcomShellWindowsExecFlags.Flags)
+
+	// Constraints
+	dcomShellWindowsCmd.MarkFlagsOneRequired("command", "exec")
+}
+
+func dcomShellBrowserWindowCmdInit() {
+	dcomShellBrowserWindowExecFlags := newFlagSet("Execution")
 
-  registerExecutionFlags(dcomMmcExecFlags.Flags)
-  registerExecutionOutputFlags(dcomMmcExecFlags.Flags)
+	registerExecutionFlags(dcomShellBrowserWindowExecFlags.Flags)
+	registerExecutionOutputFlags(dcomShellBrowserWindowExecFlags.Flags)
 
-  dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WorkingDirectory, "directory", `C:\`, "Working `directory`")
-  dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WindowState, "window", "Minimized", "Window state")
+	dcomShellBrowserWindowExecFlags.Flags.StringVar(&dcomShellBrowserWindow.WorkingDirectory, "directory", `C:\`, "Working `directory`")
+	dcomShellBrowserWindowExecFlags.Flags.StringVar(&dcomShellBrowserWindow.WindowState, "app-window", "0", "Application window state `ID`")
 
-  cmdFlags[dcomMmcCmd] = []*flagSet{
-    dcomMmcExecFlags,
-    defaultAuthFlags,
-    defaultLogFlags,
-    defaultNetRpcFlags,
-  }
+	cmdFlags[dcomShellBrowserWindowCmd] = []*flagSet{
+		dcomShellBrowserWindowExecFlags,
+		defaultAuthFlags,
+		defaultLogFlags,
+		defaultNetRpcFlags,
+	}
+	dcomShellBrowserWindowCmd.Flags().AddFlagSet(dcomShellBrowserWindowExecFlags.Flags)
 
-  dcomMmcCmd.Flags().AddFlagSet(dcomMmcExecFlags.Flags)
+	// Constraints
+	dcomShellBrowserWindowCmd.MarkFlagsOneRequired("command", "exec")
 }
 
 var (
-  dcomMmc dcomexec.DcomMmc
+	dcomMmc                dcomexec.DcomMmc
+	dcomShellWindows       dcomexec.DcomShellWindows
+	dcomShellBrowserWindow dcomexec.DcomShellBrowserWindow
 
-  dcomCmd = &cobra.Command{
-    Use:   "dcom",
-    Short: "Execute with Distributed Component Object Model (MS-DCOM)",
-    Long: `Description:
+	dcomCmd = &cobra.Command{
+		Use:   "dcom",
+		Short: "Execute with Distributed Component Object Model (MS-DCOM)",
+		Long: `Description:
   The dcom module uses exposed Distributed Component Object Model (DCOM) objects to spawn processes.`,
-    GroupID: "module",
-    Args:    cobra.NoArgs,
-  }
-
-  dcomMmcCmd = &cobra.Command{
-    Use:   "mmc [target]",
-    Short: "Execute with the DCOM MMC20.Application object",
-    Long: `Description:
+		GroupID: "module",
+		Args:    cobra.NoArgs,
+	}
+
+	dcomMmcCmd = &cobra.Command{
+		Use:   "mmc [target]",
+		Short: "Execute with the MMC20.Application DCOM object",
+		Long: `Description:
   The mmc method uses the exposed MMC20.Application object to call Document.ActiveView.ShellExec,
   and ultimately spawn a process on the remote host.`,
-    Args: args(
-      argsRpcClient("host"),
-      argsOutput("smb"),
-    ),
-    Run: func(cmd *cobra.Command, args []string) {
-      dcomMmc.Client = &rpcClient
-      dcomMmc.IO = exec
-
-      ctx := log.With().
-        Str("module", "dcom").
-        Str("method", "mmc").
-        Logger().WithContext(gssapi.NewSecurityContext(context.Background()))
-
-      if err := goexec.ExecuteCleanMethod(ctx, &dcomMmc, &exec); err != nil {
-        log.Fatal().Err(err).Msg("Operation failed")
-      }
-    },
-  }
+		Args: args(
+			argsRpcClient("host"),
+			argsOutput("smb"),
+			argsAcceptValues("window", &dcomMmc.WindowState, "Minimized", "Maximized", "Restored"),
+		),
+		Run: func(cmd *cobra.Command, args []string) {
+			dcomMmc.Client = &rpcClient
+			dcomMmc.IO = exec
+			dcomMmc.ClassID = dcomexec.Mmc20Uuid
+
+			ctx := log.With().
+				Str("module", dcomexec.ModuleName).
+				Str("method", dcomexec.MethodMmc).
+				Logger().WithContext(gssapi.NewSecurityContext(context.Background()))
+
+			if err := goexec.ExecuteCleanMethod(ctx, &dcomMmc, &exec); err != nil {
+				log.Fatal().Err(err).Msg("Operation failed")
+			}
+		},
+	}
+
+	dcomShellWindowsCmd = &cobra.Command{
+		Use:   "shellwindows [target]",
+		Short: "Execute with the ShellWindows DCOM object",
+		Long: `Description:
+  The shellwindows method uses the exposed ShellWindows DCOM object on older Windows installations
+  to call Item().Document.Application.ShellExecute, and spawn the provided process.`,
+		Args: args(
+			argsRpcClient("host"),
+			argsOutput("smb"),
+			argsAcceptValues("app-window", &dcomShellWindows.WindowState, "0", "1", "2", "3", "4", "5", "7", "10"),
+		),
+		Run: func(cmd *cobra.Command, args []string) {
+			dcomShellWindows.Client = &rpcClient
+			dcomShellWindows.IO = exec
+			dcomShellWindows.ClassID = dcomexec.ShellWindowsUuid
+
+			ctx := log.With().
+				Str("module", dcomexec.ModuleName).
+				Str("method", dcomexec.MethodShellWindows).
+				Logger().WithContext(gssapi.NewSecurityContext(context.Background()))
+
+			if err := goexec.ExecuteCleanMethod(ctx, &dcomShellWindows, &exec); err != nil {
+				log.Fatal().Err(err).Msg("Operation failed")
+			}
+		},
+	}
+
+	dcomShellBrowserWindowCmd = &cobra.Command{
+		Use:   "shellbrowserwindow [target]",
+		Short: "Execute with the ShellBrowserWindow DCOM object",
+		Long: `Description:
+  The shellbrowserwindow method uses the exposed ShellBrowserWindow DCOM object on older Windows installations
+  to call Document.Application.ShellExecute, and spawn the provided process.`,
+		Args: args(
+			argsRpcClient("host"),
+			argsOutput("smb"),
+			argsAcceptValues("app-window", &dcomShellBrowserWindow.WindowState, "0", "1", "2", "3", "4", "5", "7", "10"),
+		),
+		Run: func(cmd *cobra.Command, args []string) {
+			dcomShellBrowserWindow.Client = &rpcClient
+			dcomShellBrowserWindow.IO = exec
+			dcomShellBrowserWindow.ClassID = dcomexec.ShellBrowserWindowUuid
+
+			ctx := log.With().
+				Str("module", dcomexec.ModuleName).
+				Str("method", dcomexec.MethodShellBrowserWindow).
+				Logger().WithContext(gssapi.NewSecurityContext(context.Background()))
+
+			if err := goexec.ExecuteCleanMethod(ctx, &dcomShellBrowserWindow, &exec); err != nil {
+				log.Fatal().Err(err).Msg("Operation failed")
+			}
+		},
+	}
 )
diff --git a/go.mod b/go.mod
index 88b8d67..0110ddf 100644
--- a/go.mod
+++ b/go.mod
@@ -5,16 +5,16 @@ go 1.23.3
 toolchain go1.24.1
 
 require (
-	github.com/RedTeamPentesting/adauth v0.2.3-0.20250425090338-486ba8225ec2
+	github.com/RedTeamPentesting/adauth v0.3.0
 	github.com/google/uuid v1.6.0
 	github.com/oiweiwei/go-msrpc v1.2.5
 	github.com/oiweiwei/go-smb2.fork v1.0.0
 	github.com/rs/zerolog v1.34.0
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
-	golang.org/x/net v0.39.0
-	golang.org/x/term v0.31.0
-	golang.org/x/text v0.24.0
+	golang.org/x/net v0.40.0
+	golang.org/x/term v0.32.0
+	golang.org/x/text v0.25.0
 )
 
 require (
@@ -31,7 +31,7 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/oiweiwei/gokrb5.fork/v9 v9.0.2 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 	software.sslmate.com/src/go-pkcs12 v0.5.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 5945a53..57da425 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/RedTeamPentesting/adauth v0.2.3-0.20250425090338-486ba8225ec2 h1:oAhjI8IMd5mtD1bLNxTWTsE73fL7Bj47KR2nNq1xlt4=
-github.com/RedTeamPentesting/adauth v0.2.3-0.20250425090338-486ba8225ec2/go.mod h1:xoCQ4Z6ong9GKeQ24Br5K/CWOTargv9OGkMuXSY0EaQ=
+github.com/RedTeamPentesting/adauth v0.3.0 h1:SvzOdHvD+N9tzjrSfTgd+HzKQV4H4TFUqumlbh/H6E0=
+github.com/RedTeamPentesting/adauth v0.3.0/go.mod h1:xoCQ4Z6ong9GKeQ24Br5K/CWOTargv9OGkMuXSY0EaQ=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -72,8 +72,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -81,8 +81,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -94,19 +94,19 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
diff --git a/pkg/goexec/dcom/dcom.go b/pkg/goexec/dcom/dcom.go
index a504e1a..362c3ba 100644
--- a/pkg/goexec/dcom/dcom.go
+++ b/pkg/goexec/dcom/dcom.go
@@ -12,8 +12,9 @@ const (
 )
 
 var (
-	//ShellWindowsUuid = uuid.MustParse("9BA05972-F6A8-11CF-A442-00A0C90A8F39")
-	//Mmc20Uuid        = uuid.MustParse("49B2791A-B1AE-4C90-9B8E-E860BA07F889")
+	ShellBrowserWindowUuid = uuid.MustParse("C08AFD90-F2A1-11D1-8455-00A0C91F3880")
+	ShellWindowsUuid       = uuid.MustParse("9BA05972-F6A8-11CF-A442-00A0C90A8F39")
+	Mmc20Uuid              = uuid.MustParse("49B2791A-B1AE-4C90-9B8E-E860BA07F889")
 
 	RandCid      = dcom.CID(*dtyp.GUIDFromUUID(uuid.MustParse(googleUUID.NewString())))
 	IDispatchIID = &dcom.IID{
diff --git a/pkg/goexec/dcom/mmc.go b/pkg/goexec/dcom/mmc.go
index 993d1bb..e06ce13 100644
--- a/pkg/goexec/dcom/mmc.go
+++ b/pkg/goexec/dcom/mmc.go
@@ -1,51 +1,52 @@
 package dcomexec
 
 import (
-  "context"
-  "fmt"
-  "github.com/FalconOpsLLC/goexec/pkg/goexec"
-  "github.com/rs/zerolog"
+	"context"
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	"github.com/rs/zerolog"
 )
 
 const (
-  MethodMmc = "MMC" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
+	MethodMmc = "MMC" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
 )
 
 type DcomMmc struct {
-  Dcom
+	Dcom
 
-  IO goexec.ExecutionIO
+	IO goexec.ExecutionIO
 
-  WorkingDirectory string
-  WindowState      string
+	WorkingDirectory string
+	WindowState      string
 }
 
 // Execute will perform command execution via the MMC20.Application DCOM object.
 func (m *DcomMmc) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
 
-  log := zerolog.Ctx(ctx).With().
-    Str("module", ModuleName).
-    Str("method", MethodMmc).
-    Logger()
-
-  method := "Document.ActiveView.ExecuteShellCommand"
-
-  cmdline := execIO.CommandLine()
-  proc := cmdline[0]
-  args := cmdline[1]
-
-  // Arguments must be passed in reverse order
-  if _, err := callComMethod(ctx,
-    m.dispatchClient,
-    method,
-    stringToVariant(m.WindowState),
-    stringToVariant(args),
-    stringToVariant(m.WorkingDirectory),
-    stringToVariant(proc)); err != nil {
-
-    log.Error().Err(err).Msg("Failed to call method")
-    return fmt.Errorf("call %q: %w", method, err)
-  }
-  log.Info().Msg("Method call successful")
-  return
+	log := zerolog.Ctx(ctx).With().
+		Str("module", ModuleName).
+		Str("method", MethodMmc).
+		Logger()
+
+	method := "Document.ActiveView.ExecuteShellCommand"
+
+	cmdline := execIO.CommandLine()
+	proc := cmdline[0]
+	args := cmdline[1]
+
+	// Arguments must be passed in reverse order
+	if _, err := callComMethod(ctx,
+		m.dispatchClient,
+		nil,
+		method,
+		stringToVariant(m.WindowState),
+		stringToVariant(args),
+		stringToVariant(m.WorkingDirectory),
+		stringToVariant(proc)); err != nil {
+
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call %q: %w", method, err)
+	}
+	log.Info().Msg("Method call successful")
+	return
 }
diff --git a/pkg/goexec/dcom/module.go b/pkg/goexec/dcom/module.go
index b6fc4d4..d26f3b8 100644
--- a/pkg/goexec/dcom/module.go
+++ b/pkg/goexec/dcom/module.go
@@ -27,7 +27,7 @@ type Dcom struct {
 	goexec.Executor
 
 	Client  *dce.Client
-	ClassID string
+	ClassID *uuid.UUID
 
 	dispatchClient idispatch.DispatchClient
 }
@@ -49,9 +49,11 @@ func (m *Dcom) Init(ctx context.Context) (err error) {
 		return errors.New("DCE connection not initialized")
 	}
 
-	m.ClassID = "49B2791A-B1AE-4C90-9B8E-E860BA07F889"
-	//m.ClassID = "9BA05972-F6A8-11CF-A442-00A0C90A8F39"
-	class := dcom.ClassID(*dtyp.GUIDFromUUID(uuid.MustParse(m.ClassID)))
+	if m.ClassID == nil {
+		return errors.New("CLSID not specified")
+	}
+
+	class := dcom.ClassID(*dtyp.GUIDFromUUID(m.ClassID))
 
 	if class.GUID() == nil {
 		return fmt.Errorf("invalid class ID: %s", m.ClassID)
diff --git a/pkg/goexec/dcom/shellbrowserwindow.go b/pkg/goexec/dcom/shellbrowserwindow.go
new file mode 100644
index 0000000..4d1bcf7
--- /dev/null
+++ b/pkg/goexec/dcom/shellbrowserwindow.go
@@ -0,0 +1,52 @@
+package dcomexec
+
+import (
+	"context"
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	"github.com/rs/zerolog"
+)
+
+const (
+	MethodShellBrowserWindow = "ShellBrowserWindow" // ShellBrowserWindow::Document.Application.ShellExecute
+)
+
+type DcomShellBrowserWindow struct {
+	Dcom
+
+	IO goexec.ExecutionIO
+
+	WorkingDirectory string
+	WindowState      string
+}
+
+// Execute will perform command execution via the ShellBrowserWindow object. See https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
+func (m *DcomShellBrowserWindow) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+
+	log := zerolog.Ctx(ctx).With().
+		Str("module", ModuleName).
+		Str("method", MethodShellBrowserWindow).
+		Logger()
+
+	method := "Document.Application.ShellExecute"
+
+	cmdline := execIO.CommandLine()
+	proc := cmdline[0]
+	args := cmdline[1]
+
+	// Arguments must be passed in reverse order
+	if _, err := callComMethod(ctx, m.dispatchClient,
+		nil,
+		method,
+		stringToVariant(m.WindowState),
+		stringToVariant(""), // FUTURE?
+		stringToVariant(m.WorkingDirectory),
+		stringToVariant(args),
+		stringToVariant(proc)); err != nil {
+
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call %q: %w", method, err)
+	}
+	log.Info().Msg("Method call successful")
+	return
+}
diff --git a/pkg/goexec/dcom/shellwindows.go b/pkg/goexec/dcom/shellwindows.go
new file mode 100644
index 0000000..67537ec
--- /dev/null
+++ b/pkg/goexec/dcom/shellwindows.go
@@ -0,0 +1,73 @@
+package dcomexec
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	"github.com/oiweiwei/go-msrpc/msrpc/dcom/oaut"
+	"github.com/rs/zerolog"
+)
+
+const (
+	MethodShellWindows = "ShellWindows" // ShellWindows::Item().Document.Application.ShellExecute
+)
+
+type DcomShellWindows struct {
+	Dcom
+
+	IO goexec.ExecutionIO
+
+	WorkingDirectory string
+	WindowState      string
+}
+
+// Execute will perform command execution via the ShellWindows object. See https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
+func (m *DcomShellWindows) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+
+	log := zerolog.Ctx(ctx).With().
+		Str("module", ModuleName).
+		Str("method", MethodShellWindows).
+		Logger()
+
+	method := "Item"
+
+	cmdline := execIO.CommandLine()
+	proc := cmdline[0]
+	args := cmdline[1]
+
+	iv, err := callComMethod(ctx,
+		m.dispatchClient,
+		nil,
+		"Item")
+
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call method %q: %w", method, err)
+	}
+
+	item, ok := iv.VarResult.VarUnion.GetValue().(*oaut.Dispatch)
+	if !ok {
+		return errors.New("failed to get dispatch from ShellWindows::Item()")
+	}
+
+	method = "Document.Application.ShellExecute"
+
+	// Arguments must be passed in reverse order
+	if _, err := callComMethod(ctx, m.dispatchClient,
+		item.InterfacePointer().
+			GetStandardObjectReference().
+			Std.IPID,
+		method,
+		stringToVariant(m.WindowState),
+		stringToVariant(""), // FUTURE?
+		stringToVariant(m.WorkingDirectory),
+		stringToVariant(args),
+		stringToVariant(proc)); err != nil {
+
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call %q: %w", method, err)
+	}
+	log.Info().Msg("Method call successful")
+	return
+}
diff --git a/pkg/goexec/dcom/util.go b/pkg/goexec/dcom/util.go
index 9d7850d..8389a73 100644
--- a/pkg/goexec/dcom/util.go
+++ b/pkg/goexec/dcom/util.go
@@ -13,13 +13,10 @@ import (
 	_ "github.com/oiweiwei/go-msrpc/msrpc/erref/win32"
 )
 
-func callComMethod(ctx context.Context, dc idispatch.DispatchClient, method string, args ...*oaut.Variant) (ir *idispatch.InvokeResponse, err error) {
+func callComMethod(ctx context.Context, dc idispatch.DispatchClient, id *dcom.IPID, method string, args ...*oaut.Variant) (ir *idispatch.InvokeResponse, err error) {
 
 	parts := strings.Split(method, ".")
 
-	var id *dcom.IPID
-	var gr *idispatch.GetIDsOfNamesResponse
-
 	for i, obj := range parts {
 
 		var opts []dcerpc.CallOption
@@ -28,7 +25,7 @@ func callComMethod(ctx context.Context, dc idispatch.DispatchClient, method stri
 			opts = append(opts, dcom.WithIPID(id))
 		}
 
-		gr, err = dc.GetIDsOfNames(ctx, &idispatch.GetIDsOfNamesRequest{
+		gr, err := dc.GetIDsOfNames(ctx, &idispatch.GetIDsOfNamesRequest{
 			This:     ORPCThis,
 			IID:      &dcom.IID{},
 			LocaleID: LcEnglishUs,
author	Bryan McNulty <bryan@falconops.com>	2025-05-06 17:14:13 -0500
committer	GitHub <noreply@github.com>	2025-05-06 17:14:13 -0500
commit	19af8d591a224cb104996a50935a8f4b1643a3a1 (patch)
tree	efadc3b5c58820e686b74f49dd01bd9993baf3af
parent	10eee0ed28ecf5f22967a935e3596000e75cd63e (diff)
download	goexec-main.tar.gz goexec-main.zip