Hack Reports - Latest Cybersecurity News, Trends & Updates

Hackers use Windows RID hijacking to create hidden admin account

Geetansh -

Windows RID Hijacking Vulnerabilities

RID (Relative Identifier) Hijacking is a technique that involves modifying the Relative Identifier (RID) value of an account to gain elevated privileges or access to restricted resources. Here are some key points related to RID hijacking and related Windows security issues:

RID Hijacking Technique

RID hijacking involves changing the RID of a user account to match that of a built-in account, such as the Administrator account, which has a well-known RID (typically 500). This can be done to bypass security restrictions and gain administrative privileges.

  • Attack Method: An attacker with sufficient privileges can modify the RID of a regular user account to match the RID of an administrative account. This allows the attacker to leverage the privileges associated with the administrative account5.

Vulnerabilities and Exploitation

While there are no recent, specific CVEs dedicated solely to RID hijacking, the technique exploits weaknesses in account management and privilege escalation.

  • Privilege Escalation: RID hijacking is often used as part of a broader privilege escalation attack. For instance, if an attacker can create or modify user accounts, they might use RID hijacking to elevate their privileges5.

Hidden Admin Accounts and Windows Security

Built-in Accounts

Windows has several built-in accounts that are disabled by default, including the Administrator account. These accounts can be a target for RID hijacking.

  • Built-in Accounts: Accounts like Administrator, Guest, DefaultAccount, and WDAGUtilityAccount are disabled by default. However, their RIDs are well-known, making them potential targets for RID hijacking. Resetting credentials for these accounts does not enable them or set additional policies for sign-in2.

Security Measures

To mitigate RID hijacking and related attacks, several security measures can be implemented:

  • Account Management: Ensure that built-in accounts are properly managed and their RIDs are not easily discoverable. Use strong passwords and consider renaming these accounts to make them less predictable.
  • Privilege Restriction: Limit the privileges of regular user accounts to prevent them from making significant changes to the system, such as modifying RIDs.
  • Monitoring: Regularly monitor system logs for any suspicious activity related to account modifications.
  • Access Control: Implement strict access control policies, including the use of ACLs (Access Control Lists) and IAM roles, to restrict who can modify user accounts and their attributes25.

Recent Security Updates and Advisories

While there are no specific recent advisories solely on RID hijacking, it is important to keep the system updated with the latest security patches to prevent other vulnerabilities that could be exploited in conjunction with RID hijacking.

  • General Security Updates: Ensure that your Windows system is updated with the latest security patches. Recent vulnerabilities in other components, such as those listed in the Amazon Linux Security Center, can sometimes be used in conjunction with RID hijacking to escalate privileges1.

In summary, RID hijacking is a serious security concern that can be mitigated through proper account management, privilege restriction, and regular system monitoring. Keeping the system updated with the latest security patches is also crucial to prevent other vulnerabilities that could be exploited in conjunction with RID hijacking.