Awesome

RID Hijacking: Maintaining Access on Windows Machines

The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user.

By only using OS resources, it is possible to replace the RID of an user right before the primary access token is created, allowing to spoof the privileges of the hijacked RID owner.

Modules

• RID Hijacking with Metasploit
• RID Hijacking with Powershell
• RID Hijacking with Empire
• RID Hijacking with Crackmapexec
• RID Hijacking with ibombshell

Paper

ACM CCS Checkmate 24. Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts

@inproceedings{10.1145/3689934.3690839,
author = {Castro, Sebasti\'{a}n R. and C\'{a}rdenas, Alvaro A.},
title = {Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts},
year = {2024},
isbn = {9798400712302},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3689934.3690839},
doi = {10.1145/3689934.3690839},
pages = {59–72},
numpages = {14}}

Slides

Derbycon 8.0

References

r4wsecurity: RID Hijacking - Maintaining access on Windows Machines