Stealth Persistence aka RID Hijacking

by Vince
in Blog
Hits: 239

Somehow you make your way onto a system and perhaps you want to maintain that access.  There are a number of reasons and methods for maintaining persistence and one such method is RID Hijacking.  The short of it is this -- each account is assigned a relative identifier (RID).  The Administrator account is assigned 500 and user accounts begin at 1000.  If we modify a user account and assign it the same RID as the Administrator account, for all intents and purposes, we are an administrator.

We query users and we add our stealthy account.  I like the idea of the ASPNET account because it looks like something we shouldn't mess with.

Now that we have an account created, we want to get the RID:

We need to convert our RID to hexidecimal:

Using PSExec, we launch a command prompt as SYSTEM:

We check our ID and we launch Regedit which will give us access to areas of the registry we wouldn't have access to in any other account.

Accessing the Administrator account:

We have a value of F4 01:

We modify the value for our ASPNET4.0 account:

Changing its value to that of the Administrator account:

A zoom out of the registry value we're modifying:

We login with our new account:

We check the administrators group which should not have our account listed and it does not:

Using our account to perform an administrative function: