Skip to content
This repository has been archived by the owner on Jan 29, 2020. It is now read-only.

Add RID Hijacking persistence module #1326

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Add RID Hijacking persistence module #1326

wants to merge 2 commits into from

Conversation

r4wd3r
Copy link

@r4wd3r r4wd3r commented Feb 18, 2019
edited
Loading

Overview

The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user.

By only using OS resources, it is possible to replace the RID of an user right before the access token is created. Taking advantage of some Windows Local Users Management integrity issues, this module will allow to authenticate with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.

Module Testing

The module Invoke-RIDHijacking is compatible with Powershell >=2.0. It requires a previous agent with administrative privileges.

This module has been tested against:

  • Windows XP, 2003. (32 bits)
  • Windows 8.1 Pro. (64 bits)
  • Windows 10. (64 bits)
  • Windows Server 2012. (64 bits)

Execution

image

References

https://github.com/r4wd3r/RID-Hijacking
https://csl.com.co/rid-hijacking/
https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-access-on.html

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@r4wd3r