One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8642525 |
| Date de publication | 2025-01-25 20:07:25 (vue: 2025-01-25 14:53:38) |
| Titre | Hackers Using RID Hijacking To Create Admin Accounts In Windows |
| Texte | Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts.
According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group.
“RID Hijacking is an attack technique that involves modifying the RID value of an account with low privileges, such as a regular user or a guest account, to match the RID value of an account with higher privileges (Administrator). By modifying the RID value, threat actors can deceive the system into treating the account as having administrator privileges,” AhnLab wrote in a blog post published on Thursday.
In Windows, a Relative Identifier (RID) is part of a Security Identifier (SID), which exclusively distinguishes each user and group within a domain. For instance, an administrator account will have a RID value of “500”, “501” for guest accounts, “512” for the domain admins group, and for regular users, the RID will start from the value “of 1000”.
In a RID hijacking attack, hackers change the RID of a low-privilege account to the same value as an administrator account. As a result, Windows grants administrative privileges to the account.
However, to pull this off, attackers need access to the SAM (Security Account Manager) registry, which requires them to already have SYSTEM-level access to the targeted machine for modification.
Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt.
While SYSTEM access is the highest privilege in Windows, it has certain limitations: it doesn\'t allow remote access, cannot interact with GUI apps, generates noisy activity that can be easily detected and doesn\'t persist after a system reboot.
To work around these issues, Andariel first created a hidden, low-privilege local user account by appending a “$” character to its username.
This made the account invisible in regular listings but still accessible in the SAM registry. The attackers then carried out RID hijacking to escalate the account’s privileges to the administrator level.
According to the researchers, Andariel added the modified account to the Remote Desktop Users and Administrators groups, giving them more control over the system.
The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking.
Although SYSTEM access could allow the direct creation of administrator accounts, this method is less conspicuous, making it difficult to detect and prevent.
To avoid detection, Andariel also exported and backed up the modified registry settings, deleted the rogue account, and restored it later from the backup when needed, bypassing system logs and making detection even harder.
To reduce the risk of RID hijacking, system administrators should implement proactive measures such as:
Use the Local Security Authority (LSA) Subsystem Service to monitor unusual login attempts and password changes.
Prevent unauthorized access to the SAM registry.
Restricting the use of tools like PsExec and JuicyPotato.
Disabling guest accounts.
Enforcing multi-factor authentication (MFA) for all user accounts, including low-privileged ones.
Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts. According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group. “RID Hijacking is |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 1000” access accessible according account account’s accounts activity actors added admin administrative administrator administrators admins after ahnlab ahnlab’s all allow already also although andariel appending apps around as: asec attack attackers attempts authentication authority avoid backed backup behind blog but bypassing can cannot carried center certain change changes character command conspicuous control could create created creation custom cybersecurity deceive deleted desktop detect detected detection difficult direct disabling discovered distinguishes doesn domain each easily enforcing escalate even exclusively execute exported factor files first from generates giving grant grants group groups guest gui hacker hackers hacking harder has have having hidden higher highest hijack hijacking however identifier implement including instance intelligence interact invisible involves issues its juicypotato korea’s korean later launch lazarus less level like limitations: linked listings local login logs low lsa machine made making malicious malware manager match measures method mfa modification modified modifying monitor more multi need needed noisy north off ones open out over part password persist post prevent privilege privileged privileges proactive prompt psexec published pull reboot reduce registry regular relative remote requires researchers restored restricting result rid rids risk rogue sam same security service settings should sid source start subsystem such system targeted technique them then these threat thursday tool tools treating tweaked typically unauthorized unusual use user username users uses using value when which will windows within work wrote “$” “500” “501” “512” “andariel” “of “rid |
| Tags | Malware Tool Threat |
| Stories | APT 38 APT 45 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.