RID Hijacking: Maintaining Access on Windows Machines
November 20, 2024 ยท View on GitHub
The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user.
By only using OS resources, it is possible to replace the RID of an user right before the primary access token is created, allowing to spoof the privileges of the hijacked RID owner.
Modules
- RID Hijacking with Metasploit
- RID Hijacking with Powershell
- RID Hijacking with Empire
- RID Hijacking with Crackmapexec
- RID Hijacking with ibombshell
Paper
@inproceedings{10.1145/3689934.3690839,
author = {Castro, Sebasti\'{a}n R. and C\'{a}rdenas, Alvaro A.},
title = {Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts},
year = {2024},
isbn = {9798400712302},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3689934.3690839},
doi = {10.1145/3689934.3690839},
pages = {59โ72},
numpages = {14}}
Slides
References
r4wsecurity: RID Hijacking - Maintaining access on Windows Machines