Skip to content

r4wd3r/RID-Hijacking

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RID Hijacking: Maintaining Access on Windows Machines

Arsenal

The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user.

By only using OS resources, it is possible to replace the RID of an user right before the primary access token is created, allowing to spoof the privileges of the hijacked RID owner.

Modules

Paper

ACM CCS Checkmate 24. Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts

@inproceedings{10.1145/3689934.3690839,
author = {Castro, Sebasti\'{a}n R. and C\'{a}rdenas, Alvaro A.},
title = {Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts},
year = {2024},
isbn = {9798400712302},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3689934.3690839},
doi = {10.1145/3689934.3690839},
pages = {59–72},
numpages = {14}}

Slides

Derbycon 8.0

References

r4wsecurity: RID Hijacking - Maintaining access on Windows Machines

About

Windows RID Hijacking persistence technique

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published