Cobalt Strike Beacon Object File for bypassing UAC via the CMSTPLUA COM interface.
Built by Tijme. Credits to Alex for teaching me! Made possible by Northwave Security 
This is a Cobalt Strike (CS) Beacon Object File (BOF) which exploits the CMSTPLUA COM interface. It masquerade the PEB of the current process to a Windows process, and then utilises COM Elevation Moniker on the CMSTPLUA COM object in order to execute commands in an elevated context.
Clone this repository first. Then review the code, compile from source and use it in Cobalt Strike.
Compiling
make
Usage
Load the UACBypassCMSTPLUA.cna script using the Cobalt Strike Script Manager. Then use the command below to execute the exploit.
$ uac_bypass_cmstplua
- The BOF spawns a new process (in which UAC is bypassed).
- The BOF does not read the output of the spawned process.
- The UAC bypass is not allowed on the beacon itself.
Issues or new features can be reported via the issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.
Copyright (c) 2022 Tijme Gommers & Northwave Security. All rights reserved. View LICENSE.md for the full license.