Non-administrator accounts with RIDs ending in *-500 may indicate RID hijacking, where an attacker impersonates a legitimate admin account to gain elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement and privilege escalation attempts by adversaries.
KQL Query
// Enter a reference list of default local administrators for your Windows systems
let LocalAdminsList = dynamic (["administrator","admin"]);
SecurityEvent
| where EventID in (4624,4625) and TargetUserSid endswith "-500" and TargetUserName !in (LocalAdminsList)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, TargetUserName, TargetUserSid, TargetLogonId, IpAddress, LogonTypeName
id: fcdeec10-6948-11ec-90d6-0242ac120003
name: RID Hijacking
description: |
'This query detects all authentication attempts of non administrator accounts that their RID is ending in *-500.
Ref: https://stealthbits.com/blog/rid-hijacking-when-guests-become-admins/'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
// Enter a reference list of default local administrators for your Windows systems
let LocalAdminsList = dynamic (["administrator","admin"]);
SecurityEvent
| where EventID in (4624,4625) and TargetUserSid endswith "-500" and TargetUserName !in (LocalAdminsList)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, TargetUserName, TargetUserSid, TargetLogonId, IpAddress, LogonTypeName
| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Task Execution by Non-Admin User
Description: A non-admin user runs a scheduled task that is configured to use a RID ending in -500 (e.g., RID-500), which is typically reserved for built-in accounts.
Filter/Exclusion: process.parent_process_name:"schtasks.exe" or process.command_line:"schtasks /run"
Scenario: User Running a System Maintenance Tool
Description: A regular user runs a system maintenance tool (e.g., DISM, System File Checker, or CCleaner) that temporarily uses a RID ending in -500 during its operation.
Filter/Exclusion: process.name:"dism.exe" or process.name:"sfc.exe" or process.name:"ccleaner.exe"
Scenario: Group Policy Object (GPO) Processing
Description: A non-admin user is part of a group that is processed by a Group Policy Object (GPO) that temporarily assigns a RID ending in -500 during policy application.
Filter/Exclusion: process.name:"gpupdate.exe" or process.name:"services.exe" AND event_id:41
Scenario: Antivirus or Endpoint Protection Scan
Description: A non-admin user triggers an antivirus or endpoint protection scan (e.g., Windows Defender, Bitdefender, or Kaspersky) that uses a RID ending in -500 for internal operations.
Filter/Exclusion: process.name:"msascui.exe" or process.name:"mpsvc.exe" or process.name:"bitdefender.exe"
Scenario: User Running a Custom Script with Elevated Privileges
Description: A non-admin user runs a custom script (e.g.,