Full Report
A North Korean threat group has been using a technique called RID hijacking that tricks Windows into treating a low-privileged account as one with administrator permissions. [...]
Analysis Summary
# Tool/Technique: Windows RID Hijacking for Hidden Administrator Account Creation
## Overview
This describes a specific technique utilized by threat actors to create a persistent, hidden administrator account on compromised Windows systems by manipulating the Relative Identifier (RID) pool within the Security Account Manager (SAM) database structure.
## Technical Details
- Type: Technique
- Platform: Windows
- Capabilities: Exploiting the local security authority subsystem service (LSASS) process memory or directly manipulating the SAM/LSA/SECURITY hives to overwrite the account creation process, specifically targeting a predefined RID value to assign to a newly created or existing user account, masking it as something benign or avoiding standard enumeration.
- First Seen: Not explicitly stated in context (This technique is an established method, though recent exploitation campaigns may be new).
## MITRE ATT&CK Mapping
Since the technique focuses on manipulating local accounts via Windows components:
- **TA0003 - Persistence**
- **T1136 - Create Account**
- **T1136.001 - Local Accounts** (Creating a local administrative account)
- **TA0005 - Defense Evasion**
- **T1542 - Deceguise Presence**
- **T1542.003 - Host Obfuscation** (By creating an account with a manipulated RID to hide its administrative status or existence)
## Functionality
### Core Capabilities
- Creation of a new local user account.
- Assignment of the newly created account to the local Administrators group.
- Manipulation of the *Relative Identifier (RID)* associated with the account to ensure it appears hidden or bypasses typical administrative account detection mechanisms (e.g., targeting the well-known administrative RIDs that are often monitored or expected).
### Advanced Features
- The primary advanced feature is the *stealth* achieved by abusing the inherent mechanism Windows uses to assign unique Security Identifiers (SIDs) to local accounts, specifically by inserting an entry into the local RID pool that points to an attacker-controlled user structure, often resulting in an account that is not easily discoverable through standard user enumeration tools unless those tools specifically inspect the low-end of the RID pool or the underlying structure.
## Indicators of Compromise
As this is a technique rather than a single piece of malware, the IOCs are behavioral related to the manipulation itself.
- File Hashes: N/A (Technique relies on OS file manipulation/memory modification)
- File Names: N/A
- Registry Keys: Direct interaction with or modification of the SAM database structure, typically residing around or involving: `HKEY_LOCAL_MACHINE\SAM\` and `HKEY_LOCAL_MACHINE\SECURITY\` hives.
- Network Indicators: N/A, although subsequent C2 communication would still be present from the initial compromise that allowed this action.
- Behavioral Indicators:
- Processes interacting with LSASS memory holding administrative rights.
- Direct disk access/modification of the SAM database files (usually `C:\Windows\System32\config\SAM`).
- Creation of a new local account that does not conform to standard RID allocation sequences for new users, particularly if the account lacks a profile or login history expected of a normal admin account.
## Associated Threat Actors
The article does not list specific threat actors utilizing this method, but such methods are common among advanced persistent threat (APT) groups and ransomware operators looking for reliable persistence post-exploitation.
## Detection Methods
- Signature-based detection: Difficult, as it often involves legitimate OS functions (like SAM editing, albeit improperly).
- Behavioral detection: Monitoring for processes (outside of system utilities like `net.exe` or `samlist.exe` if used correctly) accessing or writing to the SAM/SECURITY hives or making calls indicative of local SID manipulation. Monitoring changes to the local security database pointers.
- YARA rules: Not applicable for this specific low-level Windows functionality modification.
## Mitigation Strategies
- Prevention measures: Applying the Principle of Least Privilege (PoLP) to prevent lower-privileged users from executing code that can modify the SAM database.
- Hardening recommendations:
- Ensure strong configuration management to prevent unauthorized modification of core system files in `%SystemRoot%\system32\config`.
- Utilize EDR solutions tuned to detect abnormal access or modification attempts against `lsass.exe` memory or the SAM registry hives.
- Regularly audit local administrative accounts, paying attention to any unexpected RIDs in the SAM structure.
## Related Tools/Techniques
- Local Account Creation (T1136)
- Direct Modification of SAM (More direct, but related predecessor/alternative technique)
- Use of tools like Mimikatz or similar credential access tools often precede the persistence phase where this technique might be employed.