ONE SENTENCE SUMMARY:

North Korean hackers, linked to the Andariel group, exploit RID hijacking to stealthily elevate low-privileged Windows accounts to admin-level.

MAIN POINTS:

RID hijacking modifies the RID of low-privilege accounts to gain administrative permissions in Windows systems.
The attack requires SYSTEM access, which hackers achieve through vulnerabilities and tools like PsExec and JuicyPotato.
Andariel, a group linked to North Korea’s Lazarus hackers, is responsible for these attacks.
Hackers create hidden accounts using the “net user” command with the ‘$’ suffix for stealth.
Modifications to the SAM registry enable RID hijacking, leveraging custom malware and open-source tools.
SYSTEM access does not persist after reboots, prompting attackers to elevate privileges for stealth and persistence.
Hackers add compromised accounts to Remote Desktop Users and Administrators groups for extended control.
To cover tracks, attackers delete rogue accounts and registry keys, then restore them from backups as needed.
Mitigation strategies include monitoring SAM registry changes, using multi-factor authentication, and restricting suspicious tools.
RID hijacking was first disclosed in 2018 as a Windows persistence technique at DerbyCon 8.

RID hijacking exploits Windows security identifiers to stealthily elevate user privileges.
Andariel group uses SYSTEM access and registry modifications for stealthy, persistent attacks.
Hidden accounts are created and manipulated to avoid detection during these attacks.
Tools like PsExec and JuicyPotato are instrumental in initial access and privilege escalation.
Robust system monitoring and multi-factor authentication are crucial for mitigating RID hijacking risks.