What are typical exploitation scenarios where RID hijacking is used?

Common scenarios include enabling the Guest account (RID 501) and modifying its RID to 500 (Administrator), then logging in to gain full administrative privileges. Another approach is to find an existing low-privilege user, change the user's RID to that of a high-privilege domain or local account (e.g., Domain Admins RID 512 in a domain environment), and log in to inherit those permissions. The technique can also combine with remote registry access for targeting other machines on the network.