-
-
Notifications
You must be signed in to change notification settings - Fork 205
Expand file tree
/
Copy pathpersistence_rid_hijacking.yml
More file actions
25 lines (23 loc) · 983 Bytes
/
persistence_rid_hijacking.yml
File metadata and controls
25 lines (23 loc) · 983 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: RID Hijacking
id: 5c25666a-4a9f-4b7c-b02f-db0b5cdbde83
version: 1.0.4
description: |
RID (Relative ID part of security identifier) hijacking allows an attacker with SYSTEM
level privileges to covertly replace the RID of a low privileged account effectively making
the low privileged account assume Administrator privileges on the next logon.
labels:
tactic.id: TA0006
tactic.name: Persistence
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1547
technique.name: Boot or Logon Autostart Execution
technique.ref: https://attack.mitre.org/techniques/T1547/
references:
- https://github.com/r4wd3r/RID-Hijacking
- https://www.ired.team/offensive-security/persistence/rid-hijacking
condition: >
set_value and
registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*\\F' and
ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
ps.exe not imatches '?:\\Windows\\System32\\lsass.exe'
min-engine-version: 3.0.0