Summary: A North Korean threat group, Andariel, has been employing RID hijacking to manipulate Windows user account permissions, allowing low-privileged accounts to gain administrator access. This technique involves modifying the Relative Identifier (RID) in the Security Account Manager (SAM) registry, enabling stealthy attacks that evade detection. Researchers from AhnLab have detailed the methods used by Andariel, highlighting the importance of robust security measures to mitigate such threats.
Threat Actor: Andariel | Andariel
Victim: Various Windows systems | Windows systems
Keypoints :
- Andariel uses RID hijacking to elevate low-privileged accounts to administrator status by modifying the RID in the SAM registry.
- The attack requires initial SYSTEM access, often gained through exploiting vulnerabilities and using tools like PsExec and JuicyPotato.
- To evade detection, Andariel creates hidden accounts and manipulates registry settings, necessitating strong security practices to mitigate risks.