RID Hijacking: A Stealthy Privilege Escalation Technique Exploited by Andariel Group
RID (Relative Identifier) hijacking is a sophisticated post-exploitation technique used by attackers to escalate privileges on compromised Windows systems.




TL;DR
- Mechanism of RID Hijacking: RID hijacking involves changing the RID of a low-privileged account to that of a high-privileged account.
- Exploitation Methods: Attackers require SYSTEM level privileges to modify the SAM registry and perform RID hijacking.
- Detection Techniques: Monitoring for unauthorized access and changes to the SAM registry.
- Mitigation Strategies: Implementing multi-factor authentication.
- Case Study - Andariel Group: The Andariel Group, linked to North Korea's Lazarus Group.
- Stealth and Persistence: RID hijacking allows attackers to maintain persistence without creating new accounts.
- Historical Context: RID hijacking has been known since at least 2018 when it was presented as a persistence technique at DerbyCon 8.
Research Summary
RID (Relative Identifier) hijacking is a sophisticated post-exploitation technique used by attackers to escalate privileges on compromised Windows systems. This method involves manipulating the RID, a component of the Security Identifier (SID) that uniquely identifies user and group accounts within a Windows domain. By changing the RID of a low-privileged account to match that of a high-privileged account, such as the local Administrator, attackers can trick the system into granting administrative privileges to the low-privileged account. This technique is particularly stealthy and allows attackers to maintain persistence without creating new accounts or directly modifying existing high-privileged accounts.
Exploitation Methods
The exploitation process of RID hijacking requires SYSTEM level privileges to modify the Security Account Manager (SAM) registry. Attackers typically gain initial access through vulnerabilities or tools like PsExec and JuicyPotato to launch a SYSTEM-level command prompt. Once SYSTEM access is achieved, the attacker can modify the RID of a low-privileged account to that of an administrator account, effectively elevating its privileges. This method is stealthy as it does not create new accounts or modify existing high-privileged accounts directly, making it harder to detect.
Detection and Mitigation
Detection and mitigation of RID hijacking involve monitoring for unauthorized access and changes to the SAM registry, restricting the execution of tools like PsExec and JuicyPotato, and implementing multi-factor authentication for all accounts, including low-privileged ones. Additionally, using the Local Security Authority (LSA) Subsystem Service to check for logon attempts and password changes can help identify suspicious activities. Disabling the Guest account and protecting all existing accounts with strong passwords are also recommended measures.
Case Study: Andariel Group
The Andariel Group, a North Korean threat actor linked to the Lazarus Group, has been known to leverage RID hijacking in their attacks. They use custom malware and open-source tools to perform the hijacking, often creating hidden low-privileged accounts and then elevating their privileges through RID hijacking. This method allows them to maintain persistence and evade detection by security systems. The Andariel Group's use of RID hijacking highlights the effectiveness and stealth of this technique in real-world attacks.
In conclusion, RID hijacking is a powerful and stealthy technique used by attackers to escalate privileges and maintain persistence on compromised Windows systems. Understanding its mechanisms, exploitation methods, detection techniques, and mitigation strategies is crucial for defending against such attacks. The case study of the Andariel Group provides a real-world example of how this technique is used by sophisticated threat actors.
Research
Historical Context
RID hijacking has been known since at least 2018 when it was presented as a persistence technique at DerbyCon 8. It has been used by various threat actors, including the Andariel Group, to escalate privileges and maintain persistence on compromised Windows systems.
Timeline
- 2018: RID hijacking presented as a persistence technique at DerbyCon 8.
- 2025: Andariel Group uses RID hijacking in attacks, as reported by AhnLab and BleepingComputer.
Origin
RID hijacking is a technique used in Windows environments. It has been leveraged by various threat actors, including the Andariel Group, which is linked to North Korea's Lazarus Group.
Countries Targeted
- South Korea - Targeted by the Andariel Group, a North Korean threat actor.
- United States - Potential target due to the widespread use of Windows systems.
- Other countries - Any country with significant use of Windows systems could be targeted.
Sectors Targeted
- Government - High-value targets for espionage and data theft.
- Financial - Targets for financial gain and disruption.
- Healthcare - Targets for sensitive data and potential disruption.
- Technology - Targets for intellectual property theft and disruption.
- Critical Infrastructure - Targets for disruption and potential sabotage.
Motivation
The primary motivation behind RID hijacking is to gain and maintain administrative privileges on compromised systems, allowing attackers to perform various malicious activities, including data theft, espionage, and disruption.
Threat Actors
- Lazarus Group - Linked to the Andariel Group, which uses RID hijacking in their attacks.
- Origin: North Korea
- Motivations: Espionage, financial gain, disruption
- Relationship: Andariel Group is a sub-group of Lazarus Group.
Similar Threat Actors
-
APT38 - North Korean group known for financial attacks.
- Similarity: Both groups are linked to North Korea and use sophisticated techniques for financial gain and disruption.
-
APT29 (Cozy Bear) - Russian group known for espionage.
- Similarity: Both groups use stealthy techniques for maintaining persistence and evading detection.
Counter Strategies
-
Monitoring and Detection - Use LSA Subsystem Service to check for logon attempts and password changes, and monitor for unauthorized access and changes to the SAM registry.
- Actionable Takeaways: Implement continuous monitoring and alerting for suspicious activities related to RID hijacking.
-
Restricting Tool Execution - Restrict the execution of tools like PsExec and JuicyPotato.
- Actionable Takeaways: Implement application whitelisting and restrict the use of known tools used for privilege escalation.
-
Multi-Factor Authentication - Implement multi-factor authentication for all accounts, including low-privileged ones.
- Actionable Takeaways: Enhance account security by requiring multiple forms of authentication.
Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..
(Subscribers Only)