RID hijacking is a persistence technique used by adversaries who have compromised a Windows machine. It involves using the relative identifier (RID) of the local Administrator account to provide admin privileges to another local account, such as the Guest account, to escalate their attack.

That way, they can take actions using the Guest account, which is normally not under the same level of surveillance as the Administrator account, to expand their attack while remaining undetected.

Kevin Joyce, a Senior Technical Product Manager, sheds more light on the subject with a step-by-step explanation, published as a blog article on Netwrix’s webpage.

According to Kevin, to perform RID hijacking, an adversary must have already compromised a machine and gained administrative or SYSTEM privileges since they are required to change the RID value of the Guest account to the RID of the Administrator account. Alongside the step-by-step explanation of the issue, in his article, Kevin also provides a script that you can use to run a proof of concept on this vulnerability and suggests appropriate cyber security solutions that can help tackle the problem.

Netwrix offers two solutions that can help you defend against RID hijacking:

The Netwrix Privileged Access Management solution enables you to spot suspicious activity related to privileged accounts — including attempts to modify user accounts as happens in RID hijacking. It also empowers you to enforce strong password policies to prevent unauthorized access to privileged accounts in the first place, and to limit the use of privileged accounts to only those tasks that require elevated privileges.

Netwrix Change Tracker audits changes to your security configuration — including changes to the RID values of Active Directory accounts.


If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

Follow us to learn more


Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

13 + 14 =