Stealth Persistence aka RID Hijacking

by Vince
in Blog
Hits: 542

Somehow you make your way onto a system and perhaps you want to maintain that access.  There are a number of reasons and methods for maintaining persistence and one such method is RID Hijacking.  The short of it is this -- each account is assigned a relative identifier (RID).  The Administrator account is assigned 500 and user accounts begin at 1000.  If we modify a user account and assign it the same RID as the Administrator account, for all intents and purposes, we are an administrator.

We query users and we add our stealthy account.  I like the idea of the ASPNET account because it looks like something we shouldn't mess with.



Now that we have an account created, we want to get the RID:



We need to convert our RID to hexidecimal:



Using PSExec, we launch a command prompt as SYSTEM:



We check our ID and we launch Regedit which will give us access to areas of the registry we wouldn't have access to in any other account.



Accessing the Administrator account:



We have a value of F4 01:



We modify the value for our ASPNET4.0 account:



Changing its value to that of the Administrator account:



A zoom out of the registry value we're modifying:



We login with our new account:



We check the administrators group which should not have our account listed and it does not:



Using our account to perform an administrative function: