Windows RID Hijacking How Hackers Gain Hidden Admin Access, here is what to know.

  • Home » Windows RID Hijacking How Hackers Gain Hidden Admin Access, here is what to know.
Windows
Featured News Latest News Latest Vulnerabilities Recommended News Security , , , , ,

Windows RID Hijacking How Hackers Gain Hidden Admin Access, here is what to know.

Hackers have found a new way to gain unauthorized access to Windows systems. They use a technique called RID hijacking to create hidden admin accounts. This method tricks Windows into treating a low-privileged account as one with administrator permissions.

R-5-1024x376 Windows RID Hijacking How Hackers Gain Hidden Admin Access, here is what to know.

What is RID Hijacking?

RID stands for Relative Identifier, which is part of the Security Identifier (SID). Every user account on a Windows system has a unique SID. The RID is a value within the SID that indicates the account’s level of access. For example, the RID for administrators is typically “500,” while guest accounts have a RID of “501”.

How Does RID Hijacking Work?

Hackers modify the RID of a low-privileged account to match the RID of an administrator account. This way, Windows grants the low-privileged account elevated access. To perform this attack, hackers need to first gain SYSTEM access to the target system. They often use tools like PsExec and JuicyPotato to achieve this.

Once they have SYSTEM access, hackers create a hidden, low-privilege local user account. They add a ‘$’ character at the end of the account name to make it invisible through the “net user” command. The account can only be identified in the Security Account Manager (SAM) registry.

The Attack Process

  1. Initial Access: Hackers gain SYSTEM access using tools like PsExec and JuicyPotato.
  2. Create Hidden Account: They create a hidden, low-privilege local user account.
  3. Modify RID: Hackers modify the RID of the hidden account to match that of an administrator account.
  4. Elevate Privileges: The hidden account now has administrative privileges.
  5. Cover Tracks: Hackers export the modified registry settings, delete the rogue account, and re-register it from a saved backup.

Why is This Dangerous?

RID hijacking is stealthy and hard to detect. It allows hackers to gain administrative privileges without raising suspicion. They can then perform malicious activities, such as installing malware, stealing data, or creating backdoors for future access.

Mitigation Strategies

To protect against RID hijacking, system administrators should:

  • Use Local Security Authority (LSA) Subsystem Service to monitor logon attempts and password changes.
  • Restrict the execution of tools like PsExec and JuicyPotato.
  • Disable the Guest account and protect all existing accounts with multi-factor authentication.
  • Regularly monitor system logs for suspicious activity.

Conclusion

RID hijacking is a sophisticated technique used by hackers to gain unauthorized access to Windows systems. By understanding how this attack works and implementing proper security measures, organizations can better protect their systems from such threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Tag

Related Posts

Post Comment