Hackers Exploit Windows RID Hijacking to Create Hidden Admin Accounts

Hackers are utilizing a stealthy technique known as Relative Identifier (RID) hijacking to turn low-privileged Windows accounts into hidden administrator accounts. This method, recently linked to a North Korean hacking group, enables attackers to gain elevated access on compromised systems while evading detection.

What Is RID Hijacking?

RID is part of the Security Identifier (SID) system in Windows, which assigns unique tags to user accounts. Each account type has a specific RID value, such as:

• 500: Administrator accounts
• 501: Guest accounts
• 1000 and above: Standard user accounts

In RID hijacking, attackers modify the RID of a low-privileged account to match that of an administrator account. As a result, Windows treats the lower-privileged account as having administrative permissions. However, to execute RID hijacking, hackers must first gain access to the Security Account Manager (SAM) registry, which requires elevated SYSTEM privileges.

The Attack Process

The attack, attributed to the North Korean Andariel threat group (a subgroup of the Lazarus hacking organization), starts with gaining SYSTEM-level access through vulnerabilities or tools like PsExec and JuicyPotato. SYSTEM access, although the highest privilege on Windows, is noisy, lacks persistence, and has limited remote capabilities.

To circumvent these limitations, the attackers take the following steps:

Create a Hidden Account: They use the "net user" command to create a local account with a "$" suffix, ensuring it remains hidden in standard user lists.

Perform RID Hijacking: The attackers modify the SAM registry to assign the hidden account an administrator-level RID.

Elevate Permissions: The account is added to the Remote Desktop Users and Administrators groups for enhanced functionality.

Cover Tracks: Attackers export the modified registry, delete the rogue account and registry keys, and save a backup for reactivation without leaving traces in system logs.

Tools Used

Andariel employs a combination of custom malware and open-source tools to perform RID hijacking. While SYSTEM access allows the creation of admin accounts directly, modifying the RID of a low-privileged account is stealthier and more difficult to detect.

Impact of the Attack

• RID hijacking grants attackers admin-level access, allowing them to:
• Bypass traditional security measures.
• Execute malicious actions under the guise of a legitimate user.
• Maintain persistence even after system reboots.

The attack poses a significant risk, particularly for organizations with inadequate registry protections and weak monitoring protocols.

Preventing RID Hijacking

• System administrators can mitigate the risks of RID hijacking by implementing the following measures:
• Strengthen Account Security:Disable Guest accounts and enforce multi-factor authentication (MFA) on all user accounts, including low-privileged ones.
• Restrict Vulnerable Tools:Block the execution of tools like PsExec and JuicyPotato that attackers commonly use for privilege escalation.
• Secure the SAM Registry:Limit access to the SAM registry and enable logging for unauthorized changes.
• Monitor LSA Events:Use the Local Security Authority (LSA) Subsystem Service to track logon attempts, registry modifications, and password changes.
• Employ Advanced Threat Detection:Deploy endpoint detection and response (EDR) tools to identify unusual registry activity and privilege escalation attempts.

A Known Technique

RID hijacking is not a new concept; it was first demonstrated in 2018 by cybersecurity researcher Sebastián Castro at DerbyCon 8 as a Windows persistence technique. However, the resurgence of this method by advanced threat actors highlights the importance of securing Windows systems against this evolving threat.

Conclusion

As cybersecurity threats become more sophisticated, RID hijacking serves as a reminder of the vulnerabilities inherent in even trusted operating systems like Windows. Organizations must proactively implement robust security measures, including MFA, registry protection, and monitoring tools, to safeguard their systems against such stealthy attacks. By addressing these vulnerabilities and enhancing their defenses, companies can better protect their digital infrastructure from adversaries seeking to exploit hidden weaknesses.