RID Hijacking: Maintaining Access on Windows Machines

DerbyCon 8.0 - Evolution

Presented by: Sebastián Castro
Date: Saturday October 06, 2018
Time: 16:30 - 16:55
Location: Kentucky C & D
Track: Stable

The art of persistence is (and will be...) a matter of concern when successfully exploitation is achieved. Sometimes it is pretty tricky to maintain access on certain environments, especially when it is not possible to execute common vectors like creating or adding users to privileged groups, dumping credentials or hashes, deploying a persistent shell, or anything that could trigger an alert on the victim. This statement ratifies why it's necessary to use discrete and stealthy techniques to keep an open door right after obtaining a high privilege access on the target. What could be more convenient that only use OS resources in order to persist an access? This presentation will provide a new post-exploitation hook applicable to all Windows versions called RID Hijacking, which allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes. To show its effectiveness, the attack will be demonstrated by using a module which was recently added by Rapid7 to their Metasploit Framework, and developed by the security researcher Sebastián Castro.

Sebastián Castro

Sebastián Castro (@r4wd3r) is the R&D Leader at CSL Labs. Born in Bogotá, Colombia, has been an information security researcher, network & application pentester and red-teamer for 6 years, providing cybersecurity services to global financial institutions and local defense government organizations. This guy has presented at national and international conferences, such as BSides, ISC² and recently Black Hat, exposing password cracking and Windows security own research. Sometimes a tenor, sometimes a hacker, Sebastián also works as an opera singer at the Opera of Colombia Chorus, participating on many national and international fancy performances with well-known singers whose names he can’t even spell.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats