The research demonstrates how the Cross-Session Activation (CSA) mechanism can be abused to execute code in the context of an interactive user on a local host. The technique relies on abusing DCOM and Windows COM objects configured with the RunAs=Interactive User parameter.

If an attacker with local administrative privileges is able to hijack the associated CLSID, CSA can be used to launch a process under the active user's context without directly interacting with their session. This makes the technique valuable for post-exploitation activities, token theft, and further privilege escalation.

📎 Article: https://ipurple.team/2026/05/04/cross-session-activation/

💬 Discuss

Cross-Session Activation via DCOM: Code Execution in an Interactive User Session