TL;DR

1. Mechanism of RID Hijacking: RID hijacking involves changing the RID of a low-privileged account to that of a high-privileged account.
2. Exploitation Methods: Attackers require SYSTEM level privileges to modify the SAM registry and perform RID hijacking.
3. Detection Techniques: Monitoring for unauthorized access and changes to the SAM registry.
4. Mitigation Strategies: Implementing multi-factor authentication.
5. Case Study - Andariel Group: The Andariel Group, linked to North Korea's Lazarus Group.
6. Stealth and Persistence: RID hijacking allows attackers to maintain persistence without creating new accounts.
7. Historical Context: RID hijacking has been known since at least 2018 when it was presented as a persistence technique at DerbyCon 8.

Research Summary

RID (Relative Identifier) hijacking is a sophisticated post-exploitation technique used by attackers to escalate privileges on compromised Windows systems. This method involves manipulating the RID, a component of the Security Identifier (SID) that uniquely identifies user and group accounts within a Windows domain. By changing the RID of a low-privileged account to match that of a high-privileged account, such as the local Administrator, attackers can trick the system into granting administrative privileges to the low-privileged account. This technique is particularly stealthy and allows attackers to maintain persistence without creating new accounts or directly modifying existing high-privileged accounts.

Exploitation Methods

The exploitation process of RID hijacking requires SYSTEM level privileges to modify the Security Account Manager (SAM) registry. Attackers typically gain initial access through vulnerabilities or tools like PsExec and JuicyPotato to launch a SYSTEM-level command prompt. Once SYSTEM access is achieved, the attacker can modify the RID of a low-privileged account to that of an administrator account, effectively elevating its privileges. This method is stealthy as it does not create new accounts or modify existing high-privileged accounts directly, making it harder to detect.

Detection and Mitigation

Detection and mitigation of RID hijacking involve monitoring for unauthorized access and changes to the SAM registry, restricting the execution of tools like PsExec and JuicyPotato, and implementing multi-factor authentication for all accounts, including low-privileged ones. Additionally, using the Local Security Authority (LSA) Subsystem Service to check for logon attempts and password changes can help identify suspicious activities. Disabling the Guest account and protecting all existing accounts with strong passwords are also recommended measures.

Case Study: Andariel Group

The Andariel Group, a North Korean threat actor linked to the Lazarus Group, has been known to leverage RID hijacking in their attacks. They use custom malware and open-source tools to perform the hijacking, often creating hidden low-privileged accounts and then elevating their privileges through RID hijacking. This method allows them to maintain persistence and evade detection by security systems. The Andariel Group's use of RID hijacking highlights the effectiveness and stealth of this technique in real-world attacks.

In conclusion, RID hijacking is a powerful and stealthy technique used by attackers to escalate privileges and maintain persistence on compromised Windows systems. Understanding its mechanisms, exploitation methods, detection techniques, and mitigation strategies is crucial for defending against such attacks. The case study of the Andariel Group provides a real-world example of how this technique is used by sophisticated threat actors.

Research

Historical Context

RID hijacking has been known since at least 2018 when it was presented as a persistence technique at DerbyCon 8. It has been used by various threat actors, including the Andariel Group, to escalate privileges and maintain persistence on compromised Windows systems.

Timeline

• 2018: RID hijacking presented as a persistence technique at DerbyCon 8.
• 2025: Andariel Group uses RID hijacking in attacks, as reported by AhnLab and BleepingComputer.

Origin

RID hijacking is a technique used in Windows environments. It has been leveraged by various threat actors, including the Andariel Group, which is linked to North Korea's Lazarus Group.

Countries Targeted

1. South Korea - Targeted by the Andariel Group, a North Korean threat actor.
2. United States - Potential target due to the widespread use of Windows systems.
3. Other countries - Any country with significant use of Windows systems could be targeted.

Sectors Targeted

1. Government - High-value targets for espionage and data theft.
2. Financial - Targets for financial gain and disruption.
3. Healthcare - Targets for sensitive data and potential disruption.
4. Technology - Targets for intellectual property theft and disruption.
5. Critical Infrastructure - Targets for disruption and potential sabotage.

Motivation

The primary motivation behind RID hijacking is to gain and maintain administrative privileges on compromised systems, allowing attackers to perform various malicious activities, including data theft, espionage, and disruption.

Threat Actors

1. Lazarus Group - Linked to the Andariel Group, which uses RID hijacking in their attacks.
   • Origin: North Korea
   • Motivations: Espionage, financial gain, disruption
   • Relationship: Andariel Group is a sub-group of Lazarus Group.

Similar Threat Actors

1. APT38 - North Korean group known for financial attacks.

   • Similarity: Both groups are linked to North Korea and use sophisticated techniques for financial gain and disruption.

2. APT29 (Cozy Bear) - Russian group known for espionage.

   • Similarity: Both groups use stealthy techniques for maintaining persistence and evading detection.

Counter Strategies

1. Monitoring and Detection - Use LSA Subsystem Service to check for logon attempts and password changes, and monitor for unauthorized access and changes to the SAM registry.

   • Actionable Takeaways: Implement continuous monitoring and alerting for suspicious activities related to RID hijacking.

2. Restricting Tool Execution - Restrict the execution of tools like PsExec and JuicyPotato.

   • Actionable Takeaways: Implement application whitelisting and restrict the use of known tools used for privilege escalation.

3. Multi-Factor Authentication - Implement multi-factor authentication for all accounts, including low-privileged ones.

   • Actionable Takeaways: Enhance account security by requiring multiple forms of authentication.

Forecast

Short-Term Forecast (3-6 months)

1. Increased Use of RID Hijacking by Nation-State Actors

   • Detailed analysis: Nation-state actors, particularly those linked to North Korea such as the Andariel Group, will continue to leverage RID hijacking to maintain persistence and escalate privileges on compromised systems. This technique's stealthy nature makes it an attractive option for sophisticated threat actors aiming to evade detection and maintain long-term access to targeted networks.
   • Examples and references:
     • (2025-01-24) Hackers use Windows RID hijacking to create hidden admin account

2. Enhanced Detection and Mitigation Efforts by Organizations

   • Detailed analysis: Organizations will increasingly adopt advanced monitoring and detection techniques to identify RID hijacking attempts. This includes using the Local Security Authority (LSA) Subsystem Service to monitor logon attempts and password changes, as well as restricting the execution of tools like PsExec and JuicyPotato.
   • Examples and references:
     • (2025-01-24) Hackers use Windows RID hijacking to create hidden admin account

3. Development of New Tools and Techniques for RID Hijacking

   • Detailed analysis: Cybersecurity researchers and threat actors alike will develop new tools and techniques to perform RID hijacking more efficiently and stealthily. This will include custom malware and open-source tools designed to modify the Security Account Manager (SAM) registry and elevate privileges.
   • Examples and references:
     • (2025-01-24) Hackers use Windows RID hijacking to create hidden admin account

Long-Term Forecast (12-24 months)

1. Widespread Adoption of Multi-Factor Authentication (MFA)

   • Detailed analysis: As organizations recognize the risks associated with RID hijacking, there will be a significant push towards implementing multi-factor authentication (MFA) for all accounts, including low-privileged ones. This will help mitigate the risk of unauthorized access and privilege escalation.
   • Examples and references:
     • (2025-01-24) Hackers use Windows RID hijacking to create hidden admin account

2. Increased Collaboration Between Cybersecurity Firms and Government Agencies

   • Detailed analysis: To combat the growing threat of RID hijacking and other sophisticated cyber attacks, there will be increased collaboration between cybersecurity firms and government agencies. This collaboration will focus on sharing threat intelligence, developing new detection and mitigation strategies, and conducting joint investigations into major cyber incidents.
   • Examples and references:
     • (2025-01-24) Hackers use Windows RID hijacking to create hidden admin account

Future Considerations

Important Considerations

1. Focus on Advanced Persistent Threats (APTs)

   • Detailed analysis: Tracking and understanding the tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs) like the Andariel Group will be crucial. These groups are more likely to use sophisticated techniques like RID hijacking, and understanding their behavior can help in developing effective countermeasures.
   • Examples and references:
     • (2025-01-24) Hackers use Windows RID hijacking to create hidden admin account

2. Investment in Cybersecurity Training and Awareness

   • Detailed analysis: Organizations should invest in cybersecurity training and awareness programs to educate employees about the risks of RID hijacking and other cyber threats. This includes training on recognizing phishing attempts, securing privileged accounts, and following best practices for system security.
   • Examples and references:
     • (2025-01-24) Hackers use Windows RID hijacking to create hidden admin account

Less Important Considerations

1. Focus on Legacy Systems

   • Detailed analysis: While securing legacy systems is important, the primary focus should be on modern systems that are more likely to be targeted by sophisticated threat actors. Legacy systems should still be monitored and secured, but the emphasis should be on current and widely-used systems.

2. General Cyber Hygiene Practices

   • Detailed analysis: While general cyber hygiene practices are important, they should be complemented with specific measures to detect and mitigate RID hijacking. This includes monitoring for unauthorized access to the SAM registry and restricting the use of known tools used for privilege escalation.

Further Research

Breaches and Case Studies

1. Andariel Group Attack - 2025
   • Description: The Andariel Group used RID hijacking to elevate privileges and maintain persistence on compromised systems.
   • Actionable Takeaways: Implement specific countermeasures to defend against known tactics used by the Andariel Group.

Followup Research Questions

1. What are the latest tools and techniques used by threat actors to perform RID hijacking?
2. How can organizations enhance their detection capabilities to identify RID hijacking attempts?
3. What are the most effective mitigation strategies to prevent RID hijacking?
4. Are there any recent case studies of RID hijacking being used in targeted attacks?

Recommendations, Actions and Next Steps

1. Implement Continuous Monitoring - Use LSA Subsystem Service and other monitoring tools to detect unauthorized access and changes to the SAM registry.
2. Restrict Tool Execution - Implement application whitelisting and restrict the use of known tools like PsExec and JuicyPotato.
3. Enhance Account Security - Implement multi-factor authentication for all accounts, including low-privileged ones, and disable the Guest account.
4. Conduct Regular Security Audits - Perform regular security audits to identify and address potential vulnerabilities that could be exploited for RID hijacking.

APPENDIX

References and Citations

1. (2025-01-24) - Hackers use Windows RID hijacking to create hidden admin account
2. (2017-12-13) - RID Hijacking on Windows
3. (2025-01-23) RID Hijacking Technique Utilized by Andariel Attack Group

Mitre ATTACK TTPs

1. T1574.002 - Hijack Execution Flow: SID-History Injection
2. T1078 - Valid Accounts
3. T1543.003 - Create or Modify System Process: Windows Service

Mitre ATTACK Mitigations

1. M1026 - Privileged Account Management
2. M1030 - Network Segmentation
3. M1042 - Disable or Remove Feature or Program

AlphaHunt

Get questions like this: what is “RID” hijacking?

Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC
License - CC BY-SA 4.0