During an offensive operation it can be used as a method to maintain persistence using only accounts that are part of the system. This technique requires SYSTEM level privileges as the location in the registry is not visible under standard or administrator privileges. Sebastian Castro discovered that is is possible to make a modification in the registry in order to make the Guest account an admin by hijacking the RID of a valid account. This can assist penetration testers and red team operators to distinguish whether an account is elevated or a standard during RID enumeration. The local administrator group RID is always 500 and standard users or groups typically start with the number 1001. It is part of the Security Identifier (SID) and every time a new account or a group is created the number is increased by one. Windows operating systems use the RID (Relative Identifier) to differentiate groups and user accounts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |