The art of persistence is (

) a matter of concern when successfully exploitation is achieved. Sometimes is pretty tricky to maintain access on certain environments, specially when it is not possible to execute common vectors like creating or adding users to privileged groups, dumping credentials or hashes, deploying a persistent <bind/reverse> shell, or anything that could trigger an alert on the victim. This statement ratifies why it's necessary to use discrete and stealthy techniques to keep an open door right after obtaining a high privilege access on the target.





What could be more convenient that only use OS resources in order to persist an access?





This is the new post-exploitation technique which I have named RID Hijacking.

The RID Hijacking Attack

By using only OS resources, it is possible to hijack the RID of any existing account on the victim (even the 500 Administrator Built-in Account ), and assign it to another user account. This attack will:

Assign the privileges of the hijacked account to the hijacker account, even if the hijacked account is disabled .

Allow to authenticate with the hijacker account credentials (also remotely, depending on machine's configuration), and obtain authorized access as the hijacked user.

Register any operation executed on the event log as the hijacked user, despite of being logged in as the hijacker.

As far as I know, this technique has not been properly documented, despite of its stunning effectiveness. So I decided to write a Metasploit module, rid_hijack , that automatizes this attack with any combination of existing accounts on the victim host. This piece of software can be found at the latest Metasploit version in post/windows/manage/rid_hijack.