Reg export 'HKLM\SAM\SAM\Domains\Account\Users\000001F5'. #exports contents of current registry values, allows to roll back if corruption occurs $binaryValue = (Get-ItemProperty -Path $key -Name "F")."F" However the contents of this key are hidden from standard and elevated users. The registry SAM (security account manager) key stores information about the local accounts of the system. Activities will populated in the event log as the user that it has being hijacked instead of the hijacker account. During an offensive operation it can be used as a method to maintain persistence using only accounts that are part of the system. This technique requires SYSTEM level privileges as the location in the registry is not visible under standard or administrator privileges. Sebastian Castro discovered that is is possible to make a modification in the registry in order to make the Guest account an admin by hijacking the RID of a valid account. This can assist penetration testers and red team operators to distinguish whether an account is elevated or a standard during RID enumeration.
The local administrator group RID is always 500 and standard users or groups typically start with the number 1001. It is part of the Security Identifier (SID) and every time a new account or a group is created the number is increased by one. Windows operating systems use the RID (Relative Identifier) to differentiate groups and user accounts.
0 kommentar(er)
