Traditional lateral movement techniques are no longer applicable in the modern era due to developments in the detection capability by most of the EDR vendors. Techniques that abuse legitimate Windows functionality, such as COM, has always been in the interest of adversaries. Cross-Session activation (CSA) is considered the latest evolution of lateral movement via the Distributed Component Object Model. Threat actors with elevated privileges on the asset, can leverage cross-session activation to execute code under the context of the user that has an interactive session on the target host. The technique itself has its challenges for cyber defence teams, due to the large attack surface of COM objects. It is critical for organizations to understand the methodology of Cross-Session activation and engineer their own detection strategy to reduce the exposure. Fabian Mosch discussed the technique at the Troopers conference in 2025 and released two proof-of-concepts related to BitLocker and Speech components that could be used to facilitate lateral movement activities. Playbook COM objects typically reside in the Windows registry. Windows DCOM uses Application IDs (AppIDs) to configure how COM server processes are launched. AppIDs that have the RunAs registry key set to Interactive User are prone to Cross-Session Activation attacks if the CLSID can be hijacked. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID Cross-Session Activation is a Windows COM/DCOM behaviour where a process in one logon session can activate a COM object inside a different user’s session to execute code. The technique has the following flow: The CLSID is configured to run as the Interactive User The CoCreateInstance API creates a COM object for the target class The QueryInterface ( ISpecialSystemProperties ) is called on the retrieved interface pointer The SetSessionId API is called to specify the target user’s interactive session The StandardGetInstanceFromIStorage function creates a new object instance from a storage object, triggering the attack The Cross-Session Activation high-level methodology is visualized below: The Cross-Session Activation technique has the following prerequisites: Requirement Detail Administrative Privileges Registry Modifications, Share Access, Remote COM Activation Remote Registry Service Remote Initiation of running on target Active Interactive Session A user must be logged in on the target system COM Class RunAs=Interactive User The COM Object must be configured to run as interactive user Launch/Activation Permissions Launch and Activation rights on the COM Class COM Objects Enumeration The initial step is to enumerate COM objects that meet the Cross-Session activation criteria. Michael Zhmaylo released a suite of tools called COMThanasia that includes PermissionHunter, a tool that enables purple team operators to enumerate all COM objects on a target system and identify launch and activate permissions. The tool generates the output in .xlsx format. PermissionHunter.exe -outfile result -outformat xlsx Permission Hunter – LaunchPermission and Activate Permission Results could be filtered to identify CLSIDs that meet the criteria. The filtering should include the following: RunAs= Interactive User LaunchAccess= Remote Activation LaunchPrincipal= Everyone or Administrator or Empty Results Filtering The following table displays CLSIDs that meet the Cross-Session activation criteria: Application Name AppID Sample CLSID Principals Speech Runtime {1725704B-A716-4E04-8EF6-87ED4F0A180A} {38FE8DFE-B129-452B-A215-119382B89E3D} Administrators, SYSTEM sppui {0868DC9B-D9A2-4f64-9362-133CEA201299} {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} Administrators, SYSTEM, NETWORK SERVICE Auth UI CredUI {924DC564-16A6-42EB-929A-9A61FA7DA06F} 924DC564-16A6-42EB-929A-9A61FA7DA06F} Administrators, SYSTEM, SERVICE Auth UI CredUI (PPL) {92EE891F-9738-41D7-BE72-504569F7E565} {92EE891F-9738-41D7-BE72-504569F7E565} Administrators, SYSTEM, LOCAL SERVICE MpUx Agent Host {1111A26D-EF95-4A45-9F55-21E52ADF9887} – Administrators, SYSTEM, LOCAL SERVICE Security Health Agent Host {1D278EEF-5C38-4F2A-8C7D-D5C13B662567} – Administrators, SYSTEM, LOCAL SERVICE Windows Push Notification {362cc086-4d81-4824-bbb5-666d34b3197d} – Administrators, SYSTEM, LOCAL SERVICE ShellServiceHost {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} – Administrators, SYSTEM DockInterface COM server {b21858c6-9711-4257-99c8-5c0084bebce1} – Administrators, SYSTEM ActivatableApplication Registrar {f59bbec1-0907-4464-b04d-1da329585370} {dea794e0-1c1d-4363-b171-98d0b1703586} Administrators, SYSTEM AppServiceContainerBroker {37399c92-dc3f-4b55-ae5b-811ee82398ad} {37399c92-dc3f-4b55-ae5b-811ee82398ad} Administrators An alternative approach is to utilize in-memory tooling to scan the host for CLSIDs that run as interactive user: dotnet inline-execute /home/kali/Downloads/CLSIDBruteforceScanner.exe CLSIDBruteForceScanner – CLSIDs RunAs Interactive User Session Enumeration Enumeration of local or remote sess...