Hackers Use Windows RID Hijacking to Create Hidden Admin Account

Listen to this Post

Hackers are exploiting Windows RID (Relative Identifier) hijacking to create hidden administrator accounts, allowing them to maintain persistent access to compromised systems. This technique involves manipulating the RID of a user account to grant it administrative privileges while keeping it hidden from normal user management tools.

You Should Know:

To detect and mitigate RID hijacking, follow these steps and commands:

1. Check User Accounts and RIDs:

Use PowerShell to list all user accounts and their RIDs:

Get-LocalUser | Select Name, SID

Look for suspicious accounts or RIDs that don’t align with standard user accounts.

2. Verify Hidden Accounts:

Use the following command to check for hidden accounts in the registry:

reg query "HKLM\SAM\SAM\Domains\Account\Users\Names"

Compare the output with the list of visible accounts in the User Management tool.

3. Monitor Registry Changes:

Enable auditing for registry changes to detect unauthorized modifications:

reg add "HKLM\SAM\SAM" /v "Audit" /t REG_DWORD /d 1 /f

4. Remove Suspicious Accounts:

If you identify a hidden admin account, remove it using:

Remove-LocalUser -Name "SuspiciousAccountName"

5. Enable Security Auditing:

Configure Group Policy to audit account management events:

  • Open `gpedit.msc`
  • Navigate to:
    `Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management`
  • Enable auditing for “Account Management.”

6. Use Sysinternals Tools:

Download and use Sysinternals’ `Autoruns` and `Process Explorer` to detect hidden processes and auto-start entries.

What Undercode Say:

RID hijacking is a sophisticated technique that highlights the importance of proactive system monitoring and hardening. Regularly audit user accounts, enable security logging, and use advanced tools like Sysinternals to detect anomalies. Strengthen your defenses by applying the latest security patches and limiting administrative privileges. For further reading, visit BleepingComputer.

Related Commands:

  • List all processes:
    Get-Process
    
  • Check for open network connections:
    netstat -ano
    
  • Scan for malware using Windows Defender:
    Start-MpScan -ScanType FullScan
    
  • Disable unnecessary services:
    Stop-Service -Name "ServiceName" 
    Set-Service -Name "ServiceName" -StartupType Disabled
    

Stay vigilant and keep your systems secure!

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image