Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
T1053: Schtask
T1035: Service Execution
T1015: Sticky Keys
T1136: Create Account
T1013: AddMonitor()
T1128: NetSh Helper DLL
T1084: Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
T1180: Screensaver Hijack
T1138: Application Shimming
T1197: BITS Jobs
T1122: COM Hijacking
T1198: SIP & Trust Provider Hijacking
T1209: Hijacking Time Providers
T1130: Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

RID Hijacking

RID (Relative ID, part of the SID (Security Identifier)) hijacking is a persistence technique, where an attacker with SYSTEM level privileges assigns an RID 500 (default Windows administrator account) to some low privileged user, effectively making the low privileged account assume administrator privileges on the next logon.

This techniques was originally researched by Sebastian Castro - https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-access-on.html​

Execution

This lab assumes that we've compromised the WS01 machine and have NT SYSTEM access to it.

Below shows that the user hijacked is a low privileged user and has an RID of 1006 or 0x3ee:

If we try to write something to c:\windows\ with the user hijacked, as expected, we get Access is Denied:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EE stores some information about the userhijacked that is used by LSASS during the user logon/authentication process. Specifically, at offset 0030 in the value F there are bytes that denote user's RID, which in our case are 03ee (1006) for the user hijacked:

We can change those 2 bytes to 0x1f4 (500 - default administrator RID), which will effectively make the user hijacked assume administrator privileges:

Demo

After changing the hijacked RID from 3ee to 1f4 and creating a new logon session, we can see that the user hijacked is now allowed to write to c:\windows\, suggesting it now has administrative privileges:

Note, that the user hijacked still does not belong to local administrators group, but its RID is now 500:

Detection

Monitor HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\*\F for modifications, especially if they originate from unusual binaries.

References

Previous
Powershell Profile Persistence
Next
Word Library Add-Ins
Last updated 8 months ago
Contents
Execution
Demo
Detection
References