A technique dubbed ‘RID hijacking’ allows a hacker to assign admin rights to low-level user accounts and boot persistence on a Windows PC. The technique was initially found to be detailed in December 2017. Despite the added benefits and ease of exploitation offered by the technique, it has not been used by the attackers for at least 10 months now.
The technique, discovered by Sebastian Castro, a security researcher from CSL, targets one of the features of Windows computers and user accounts known as Relative Identifier (RID).
The RID code is used at the end of account security identifiers (SIDs) that describes the user's permission group. While there are several RID’s available, the most commonly used ones are 500 for admin accounts and 501 for the standard guest account.
By manipulating the registry keys that store information about each Windows account, one can modify the RID associated with a particular account, and assign it with a different RID, which in turn assigns newer permissions. This method was discovered by Castro along with CSL CEO Pedro Garcia.
However, the technique does not allow an attacker to remotely access or infect the system if the targeted computer is password protected and connected to the internet. If a computer is connected to the internet without any password protection, then the hacker can get a foothold on the system using crafted malware or brute force attacks.
After gaining access to a computer, a hacker could create a permanent backdoor access to the compromised Windows PC. Also, any changes made to an account’s RID will remain persistent since the registry keys can survive a boot. The attack method tested positive on Windows versions starting from XP to 10, and from Server 2003 to 2016.
Castro told in an interview to ZDNet that, "It is not so easy to detect when exploited, because this attack could be deployed by using OS resources without triggering an alert to the victim."
"It is possible to find out if a computer has been a victim of RID hijacking by looking inside the [Windows] registry and checking for inconsistencies on the SAM [Security Account Manager]," Castro added.
Castro has also created a module for the Metasploit Framework that automates the attack for penetration testing purposes.
"We reached out Microsoft as soon as the module was developed, but we did not receive any kind of response from them," Castro told ZDNet. "And no, it is not already patched."
RID hijacking technique is simple, stealthy and persistent holding all features a hacker will like about every Windows flaws. Currently, no malware uses this technique as an exploit method for attacks, said researchers.