RID Hijacking A Key Technique in Andariel’s Cyber Attacks

Summary

The Andariel attack group has been observed employing RID Hijacking as a sophisticated technique to escalate privileges and maintain persistence during breaches. This method involves altering the Relative Identifier (RID) of low-privilege accounts to mimic high-privilege accounts, such as administrators, by manipulating the Windows SAM registry. The attackers gain SYSTEM privileges using tools like PsExec, create hidden accounts, and modify registry keys to obscure their presence. They further extract and reapply registry data to minimize detection, leveraging both custom and open-source tools to adapt to specific environments and evade behavior-based detection mechanisms.

RID Hijacking is a privilege escalation technique where attackers modify the Relative Identifier (RID) of a low-privilege account to match that of a high-privilege account, like an administrator. This tricks the system into granting elevated access. The process involves creating or activating an account, altering its RID in the SAM database, and leveraging it for admin-level access. Detection is difficult as the modified accounts often remain hidden from standard monitoring tools.

Technical Detail

Attack Process

1. Gaining SYSTEM Privileges: Attackers require SYSTEM-level privileges to access and modify the SAM registry, which they achieve using tools like PsExec or JuicyPotato. For example, Andariel used PsExec to execute malicious files with SYSTEM privileges, enabling them to manipulate the SAM registry.

2. Creating a Hidden Account: Attackers create new accounts or use existing ones. They often hide these accounts by appending a $ to the username during creation. Such accounts are not visible through common commands like a net user but can be found in the SAM registry. Once created, the account is added to the Remote Desktop Users and Administrators groups, enabling remote access via RDP.

3. Modifying the RID in the Registry: Attackers locate user account information in the SAM registry under the path HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users. The RID is stored in littleendian format at a specific offset within the F value of each account key. By replacing the RID of the created account with that of an administrator, the system treats the account as having elevated privileges.

Tools and Techniques Used

1. Malicious Files: Andariel used custom malicious files and an open-source tool called CreateHiddenAccount to execute RID Hijacking. Both tools automate the process but differ slightly in implementation.

   • Custom File: Performs tasks like creating accounts, modifying RIDs, and exporting registry keys while maintaining persistence.

   • CreateHiddenAccount: Uses regini.exe (a Windows CLI tool) to modify SAM registry permissions, enabling registry access with administrator privileges instead of requiring SYSTEM-level access.

2. Registry Manipulation for Stealth: Attackers extract and delete registry keys associated with the created account using commands like reg export. This makes the account harder to detect in system-level account lists. However, upon system reboot, the account may reappear in tools like "Local Users and Groups".

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Regularly monitor the SAM registry for unauthorized modifications, especially to RID values. Use tools that detect unusual registry activity and generate alerts for potential privilege escalation attempts.

• Limit access to tools like PsExec and JuicyPotato and implement application whitelisting to prevent unauthorized execution of such tools. This reduces the attack surface for obtaining SYSTEM privileges.

• Regularly review user accounts for anomalies, such as hidden or unused accounts, and disable or remove them. Use group policies to enforce strict access controls and disable guest accounts to minimize risk.

Conclusion

The RID Hijacking attack is a stealthy privilege escalation technique that exploits the SAM registry to grant low-privilege accounts administrator access. By manipulating RIDs and hiding malicious accounts, attackers can bypass traditional detection methods and maintain persistence. The stealthiness and level of privilege escalation make this technique worrying from a cybersecurity perspective and for its intended victims.