Securing Windows workstations and servers should be a priority for any organization; preventing a machine from getting compromised and being used to move laterally within an environment is a major concern. What happens when a machine is already compromised? A persistence method called ‘RID Hijacking’ is a way for an attacker to persist within your environment by granting the Guest account, or another local account, local administrator privileges by ‘hijacking’ the RID (relative identifier) of the Administrator account. Creating persistence in your environment allows an attacker to create a foothold, continually regaining access unbeknownst to you.
Setting the Stage
To make use of this persistence technique, a machine must already be compromised. The attacker needs administrative or SYSTEM privileges to the target machine to be able to modify the contents of the registry where this information is stored. The registry stores information related to local accounts in the SAM (Security Account Manager) key.
Accessing the registry with SYSTEM privileges using a tool like PSExec allows you to view and modify the contents of the SAM key, uncovering how this information is stored.
Understanding the Registry
To understand what is actually happening under the covers, an explanation of the content that exists in ‘HKLM\SAM\SAM\Domains\Account\Users’ key is necessary. Stored within the Users key, are entries for every local account. These entries are based on the RID of the account, the two most prevalent ones being 0x1F4 and 0x1F5, these values in Hexadecimal translate to 500 and 501 respectively. These values are the RIDs of the Administrator and Guest accounts. This can be shown by querying WMI via the command line. The last part of the SID is the RID for the account.
Looking in the Names subkey, there is a name for every local account, and the value stored within this key is the RID in hexadecimal, mapping to the parent keys. Now that we understand that our target, the Guest account, is the subkey ‘000001F5’ we can take a deeper look into the contents found there.
As you can see, there are three values set, F, ForcePasswordReset, and V. The focus of this technique is the F value, which stores the RID of the account.
Inspecting the data of F, we’re presented with a Hexadecimal dump, which contains the values 0xF501 at offset 30. This is the RID of the account, stored in little endian (0x01F5), modifying the contents from 0xF501 (501) to 0xF401 (500) effectively changes the RID of the Guest account to be the RID of the Administrator account.
Seeing it In Action
Once the RID of the account has been modified, we can see that the Guest account is actually being identified as the Administrator account according to its RID.
This allows the attacker to make changes or utilize Administrative privileges with the Guest account, which is normally not under the same surveillance that the Administrator account would be. Below is a link to our GitHub that will allow you to download a script that will run a proof of concept on this vulnerability.
Don’t miss a post! Subscribe to ‘The Insider Threat Security’ Blog here:
Kevin Joyce is a Senior Technical Product Manager at STEALTHbits Technologies. He is responsible for building and delivering on the roadmap of STEALTHbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.