The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user.
By only using OS resources, it is possible to replace the RID of an user right before the primary access token is created, allowing to spoof the privileges of the hijacked RID owner.
Modules
- RID Hijacking with Metasploit
- RID Hijacking with Powershell
- RID Hijacking with Empire
- RID Hijacking with Crackmapexec
- RID Hijacking with ibombshell
Slides
References
r4wsecurity: RID Hijacking - Maintaining access on Windows Machines