Revisiting Cross Session Activation attacks

COM Cross-Session Activation attacks have a years long history starting with local Privilege Escalation vector vulnerabilities. After these vulnerabilities were patched, NTLM and Kerberos relaying attacks were published, which can - under some pre-conditions - still get abused for Privilege Escalation attacks and Lateral Movement to this day.

Starting in 2024, the attack surface of remote Cross-Session Activation received more attention with the publication of techniques and tools such as certifiedDCOM, ADCSPotato and Silverpotato. They all allow(ed) Privilege Escalation in Active Directory environments.

This talk will first highlight, which of the previously published techniques, including their prerequisites, are still exploitable today. The next section explains our approach to finding new attack vectors. Finally, new research on abusing remote Cross-Session Activation for Lateral Movement and Credential theft is presented.

COM Cross-Session Activation attacks have a years long history starting with local Privilege Escalation vector vulnerabilities. After these vulnerabilities were patched, NTLM and Kerberos relaying attacks were published, which can - under some pre-conditions - still get abused for Privilege Escalation attacks and Lateral Movement to this day.

Starting in 2024, the attack surface of remote Cross-Session Activation received more attention with with the publication of techniques and tools such as certifiedDCOM, ADCSPotato and Silverpotato. They all allow(ed) Privilege Escalation in Active Directory environments.

This talk will first highlight, which of the previously published techniques, including their prerequisites, are still exploitable today. The next section explains our approach to finding new attack vectors. Finally, new research on abusing remote Cross-Session Activation for Lateral Movement and Credential theft is presented.