rid_hijacking.md 1.4 KB
Windows RID Hijacking Attack
Description
The RID Hijacking is a post-exploitation vector which allows stealthy persistence on all Windows versions. By using only OS resources, this attack will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine.
Taking advantage of some Windows Local Users Management integrity issues, this hook will allow to authenticate with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.
Metasploit Module
msf> use post/windows/manage/rid_hijack
For more information see csl.com.co.
Categories
- Windows Persistence
- Post Exploitation
- Ethical Hacking
Black Hat sessions
Code
https://github.com/r4wd3r/RID-Hijacking
Lead Developer(s)
Sebastián Castro (@r4wd3r)