diff options
| author | Bryan McNulty <bryanmcnulty@protonmail.com> | 2025-03-10 16:04:08 -0500 |
|---|---|---|
| committer | Bryan McNulty <bryanmcnulty@protonmail.com> | 2025-03-10 16:04:08 -0500 |
| commit | 11741c4cde3d552211fbb04eddd719b3dc3bd472 (patch) | |
| tree | 52f28ca2feacde039b7215fa3fd27b5a7ec02ed5 /cmd/dcom.go | |
| parent | ab141f2076b141bf885f56cb5730252cc2880041 (diff) | |
| download | goexec-11741c4cde3d552211fbb04eddd719b3dc3bd472.tar.gz goexec-11741c4cde3d552211fbb04eddd719b3dc3bd472.zip | |
Added basic dcom execution module
Diffstat (limited to 'cmd/dcom.go')
| -rw-r--r-- | cmd/dcom.go | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/cmd/dcom.go b/cmd/dcom.go new file mode 100644 index 0000000..d105b0c --- /dev/null +++ b/cmd/dcom.go @@ -0,0 +1,75 @@ +package cmd + +import ( + "github.com/FalconOpsLLC/goexec/internal/exec" + dcomexec "github.com/FalconOpsLLC/goexec/internal/exec/dcom" + "github.com/spf13/cobra" +) + +func dcomCmdInit() { + registerRpcFlags(dcomCmd) + dcomMmcCmdInit() + dcomCmd.AddCommand(dcomMmcCmd) +} + +func dcomMmcCmdInit() { + dcomMmcCmd.Flags().StringVarP(&executable, "executable", "e", "", "Remote Windows executable to invoke") + dcomMmcCmd.Flags().StringVarP(&workingDirectory, "directory", "d", `C:\`, "Working directory") + dcomMmcCmd.Flags().StringVarP(&executableArgs, "args", "a", "", "Process command line") + dcomMmcCmd.Flags().StringVar(&windowState, "window", "Minimized", "Window state") + dcomMmcCmd.Flags().StringVarP(&command, "command", "c", ``, "Windows executable & arguments to run") + + dcomMmcCmd.MarkFlagsOneRequired("executable", "command") + dcomMmcCmd.MarkFlagsMutuallyExclusive("executable", "command") +} + +var ( + dcomCmd = &cobra.Command{ + Use: "dcom", + Short: "Establish execution via DCOM", + Args: cobra.NoArgs, + } + dcomMmcCmd = &cobra.Command{ + Use: "mmc [target]", + Short: "Establish execution via the DCOM MMC20.Application object", + Long: `Description: + The mmc method uses the exposed MMC20.Application object to call Document.ActiveView.ShellExec, + and ultimately execute system commands. + +References: + https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects + https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + https://github.com/fortra/impacket/blob/master/examples/dcomexec.py + https://learn.microsoft.com/en-us/previous-versions/windows/desktop/mmc/view-executeshellcommand +`, + Args: needsRpcTarget("host"), + Run: func(cmd *cobra.Command, args []string) { + + ctx = log.With(). + Str("module", "dcom"). + Str("method", "mmc"). + Logger().WithContext(ctx) + + module := dcomexec.Module{} + connCfg := &exec.ConnectionConfig{ + ConnectionMethod: exec.ConnectionMethodDCE, + ConnectionMethodConfig: dceConfig, + } + execCfg := &exec.ExecutionConfig{ + ExecutableName: executable, + ExecutableArgs: executableArgs, + ExecutionMethod: dcomexec.MethodMmc, + + ExecutionMethodConfig: dcomexec.MethodMmcConfig{ + WorkingDirectory: workingDirectory, + WindowState: windowState, + }, + } + if err := module.Connect(ctx, creds, target, connCfg); err != nil { + log.Fatal().Err(err).Msg("Connection failed") + } else if err = module.Exec(ctx, execCfg); err != nil { + log.Fatal().Err(err).Msg("Execution failed") + } + }, + } +) |