A sophisticated cyber attack technique known as RID (Relative Identifier) hijacking has been deployed by Andariel, a North Korean threat group linked to the notorious Lazarus hackers. This method enables attackers to elevate low-privileged Windows accounts to administrator status by manipulating system identifiers.

Understanding RID Hijacking
Windows assigns unique Security Identifiers (SIDs) to user accounts, with RIDs serving as crucial components that determine access levels. Administrator accounts are designated with RID “500,” guest accounts “501,” and regular users “1000.” By modifying these identifiers, attackers can trick Windows into granting elevated privileges to standard accounts.

Attack Methodology
The attack sequence involves:
1. Gaining initial SYSTEM access through vulnerability exploitation
2. Creating hidden user accounts marked with ‘$’
3. Modifying the SAM registry to perform RID hijacking
4. Adding compromised accounts to administrative groups
5. Covering tracks through registry manipulation

Andariel’s implementation combines custom malware with open-source tools to execute these changes. The group employs sophisticated techniques to maintain stealth, including registry backup manipulation to avoid detection in system logs.

Security Recommendations
To protect against RID hijacking attacks, organizations should:
– Monitor logon attempts using LSA Subsystem Service
– Secure SAM registry access
– Restrict usage of tools like PsExec and JuicyPotato
– Implement multi-factor authentication
– Disable guest accounts
– Monitor privileged account creation

This attack technique, first documented in 2018, demonstrates the evolving sophistication of state-sponsored cyber threats and the importance of robust security measures.