lazarusholic

Everyday is lazarus.dayβ

RID Hijacking Technique Utilized by Andariel Attack Group

2025-01-24, Ahnlab
https://asec.ahnlab.com/en/85942/
#Andariel

Contents

RID Hijacking Technique Utilized by Andariel Attack Group
AhnLab SEcurity intelligence Center (ASEC) has identified the Andariel attack group using a malicious file to perform an RID Hijacking attack during the breach process.
RID Hijacking is an attack technique that involves modifying the Relative Identifier (RID) value of an account with restricted privileges, such as a regular user or guest account, to match the RID value of an account with higher privileges, such as an administrator. In the Korea Internet & Security Agency’s (KISA) public post, “TTPs #11: Operation An Octopus – Analysis on Attack Strategies Targeting Centralized Management Solutions”, it was mentioned that the Andariel threat group uses the RID Hijacking technique when creating a backdoor account within the operating system. RID Hijacking attacks are difficult to detect in behavior-based detection systems because they involve creating a hidden account and modifying the RID value of that account.
This blog will cover the …