{ "id": "f9ec809b-4b15-4e41-81c4-c5555549520f", "created_at": "2026-04-06T02:10:46.878424Z", "updated_at": "2026-04-10T13:12:39.507258Z", "deleted_at": null, "sha1_hash": "37d087169d2bd363bc461552f900cf1b1f854864", "title": "RID Hijacking Technique Utilized by Andariel Attack Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 317268, "plain_text": "RID Hijacking Technique Utilized by Andariel Attack Group\r\nBy ATCP\r\nPublished: 2025-01-22 · Archived: 2026-04-06 01:32:01 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has identified the Andariel attack group using a malicious file to\r\nperform an RID Hijacking attack during the breach process. \r\nRID Hijacking is an attack technique that involves modifying the Relative Identifier (RID) value of an account\r\nwith restricted privileges, such as a regular user or guest account, to match the RID value of an account with\r\nhigher privileges, such as an administrator. In the Korea Internet \u0026 Security Agency’s (KISA) public post, “TTPs\r\n#11: Operation An Octopus – Analysis on Attack Strategies Targeting Centralized Management Solutions”, it was\r\nmentioned that the Andariel threat group uses the RID Hijacking technique when creating a backdoor account\r\nwithin the operating system. RID Hijacking attacks are difficult to detect in behavior-based detection systems\r\nbecause they involve creating a hidden account and modifying the RID value of that account.\r\nThis blog will cover the RID Hijacking attack process and the techniques used in breach incidents.\r\n1. Concept of RID Hijacking\r\nRID Hijacking is an attack technique that involves modifying the RID value of an account with low privileges,\r\nsuch as a regular user or a guest account, to match the RID value of an account with higher privileges\r\n(Administrator). By modifying the RID value, threat actors can deceive the system into treating the account as\r\nhaving administrator privileges. Threat actors can use various types of accounts to perform RID Hijacking,\r\nincluding:\r\nUsing a regular user account that exists in the system\r\nActivating the guest account\r\nCreating a new account\r\nRID Hijacking is typically performed by manipulating the Security Account Manager (SAM) database. Threat\r\nactors can create an administrator account or escalate privileges to gain administrator access without knowing the\r\npassword.\r\n2. RID Hijacking Attack Process\r\nThe following are the stages of RID Hijacking attacks identified in breach incident cases.\r\nhttps://asec.ahnlab.com/en/85942/\r\nPage 1 of 7\n\nFigure 1. The process of a RID Hijacking attack\r\n2.1 SYSTEM Privilege Escalation\r\nThe SAM registry manages authentication and authorization within Windows and stores user account information.\r\nIt cannot be accessed with regular administrator privileges, requiring SYSTEM privileges for access and\r\nmodification.\r\nThreat actors use privilege escalation tools such as PsExec and JuicyPotato to obtain SYSTEM privileges on the\r\ncompromised system. In this case, the threat actor used PsExec to execute a malicious file through a remote\r\ncommand, and the malicious file operated with SYSTEM privileges.\r\nFigure 2. Example of file permission when using the PsExec command (SYSTEM)\r\n2.2 Creating a Local User Account\r\nThreat actors either use existing user accounts in the system or create new accounts. In this case, the threat actor\r\ncreated an account to perform the RID Hijacking attack. \r\nThe threat actor created an account using the ‘net user’ command. When a $ is added to the end of the account\r\nname during account creation, the account is created with a hidden attribute. In this case, the account cannot be\r\nidentified using the ‘net user’ command, and can only be identified in the SAM registry. \r\nhttps://asec.ahnlab.com/en/85942/\r\nPage 2 of 7\n\nFigure 3. Checking the account creation result (net user, registry)\r\nThe threat actor then added the created account to the Remote Desktop Users group and Administrators group\r\nusing the “net localgroup” command. When an account is added to the Remote Desktop Users group, the account\r\ncan be accessed by using RDP.\r\n2.3 Changing RID via Registry Value Modification\r\nIn a RID Hijacking attack, threat actors modify the RID value of an account in the SAM registry so that the\r\nWindows operating system recognizes it as a changed RID. As such, threat actors modify the values in the SAM\r\nregistry to change the RID value. \r\nIn the Windows operating system, the registry key related to user accounts are stored in the path\r\n‘HKEY_LOCAL_MACHINE\\ SAM\\SAM\\Domains\\Account\\Users’. The RID of a user account is written in the\r\nlittle-endian format as 4 bytes in the 0x30 – 0x33 area of the ‘F’ value under each account key. Threat actors\r\nchange the value at this offset to the RID of the hijacking target.\r\nFigure 4. Account-related key in the SAM registry\r\nFigure 5. Feature for changing the RID inside the malware\r\nOnce the RID value has been changed, the Windows OS recognizes the account created by the threat actor as\r\nhaving the same privileges as the target account, enabling privilege escalation.\r\n3. Malicious File Used by Threat Actor\r\nhttps://asec.ahnlab.com/en/85942/\r\nPage 3 of 7\n\nThe Andariel threat group utilized a malicious file and an open-source tool that they created themselves to perform\r\nthe RID Hijacking attack. Both malicious files contain the attack process described in the RID Hijacking attack\r\nprocess, but there are differences in some of the features. \r\n \r\nMalicious file of the Andariel threat\r\ngroup\r\nOpen Source Tool\r\nCreateHiddenAccount\r\nFile Type Created by Threat Actor Open Source\r\nPermission Execute as system privilege Run as administrator\r\nBehavior\r\n1. Create Account and Add to Group\r\n(remote desktop users)\r\n2. Retrieve the RID of the created\r\naccount and the target account\r\n3. Access the F key in the registry of the\r\ncreated account and modify it with the\r\nRID value of the target account\r\n4. Extract the registry\r\n5. Delete the created account\r\n6. Add to the registry\r\n1. Create account and add to group\r\n(administrator)\r\n2. Access the SAM registry using\r\nregini\r\n3. Get the RID of the created\r\naccount and the target account\r\n4. Delete the created account\r\n5. Create a .reg file and copy the\r\nregistry value of the existing user\r\n6. Add to registry\r\n7. Activate account\r\nTarget\r\nAccount\r\nHardcoded to befit the environment of\r\nthe affected company\r\nDesignated as a parameter value\r\nTable 1. Comparison of malicious files performing RID Hijacking attacks\r\n3.1 Modify SAM Registry Access Permission\r\nRID Hijacking requires SYSTEM privileges because it needs to access the SAM registry key. Samples developed\r\nby the Andariel threat group cannot perform their functions properly without system privileges. The open-source\r\ntool CreateHiddenAccount can perform all of its functions even with administrator privileges. Analyzing the\r\noperation process of this tool revealed that it uses the Windows default program, regini, to grant permissions.\r\nhttps://asec.ahnlab.com/en/85942/\r\nPage 4 of 7\n\nFigure 6. Using regini.exe to access the registry with Administrators permission\r\nregini is a CLI tool provided by Microsoft that can edit the Windows registry through a text file. By specifying the\r\nregistry key path and permissions in a text file, behaviors such as creating, modifying, deleting, and changing\r\npermissions for registry keys can be performed. The ini file identified in CreateHiddenAccount modified the\r\naccess permissions to the SAM registry required for the RID Hijacking attack. In this case, the default permission\r\n(System) 17 was added to the SAM registry path along with option 1 (Administrator), allowing the modification\r\nof the SAM registry key with administrator privileges.\r\nFigure 7. Example of the contents of the ini file\r\n3.2 Behavior of Adding to Registry\r\nIn addition to creating a hidden account with a ‘$’ in the account name, the malicious file used by the Andariel\r\nattack group performs additional behaviors to minimize exposure. After completing RID Hijacking, the ‘reg\r\nexport’ command is used to extract the registry key related to the account.\r\nBehavior Command\r\nKey that performs the role of mapping user\r\nnames to RIDs\r\nreg export \r\nhklm\\sam\\sam\\domains\\account\\ \r\nusers\\names\\\u003cAccountName\u003e\r\nnames.reg\r\nExtracted registry key that contains all\r\ndetails and settings for the user account\r\nreg export \r\nhklm\\sam\\sam\\domains\\account\\\r\nusers\\\u003cAccount RID Hex Value\u003e\r\nusers.reg\r\nTable 2. Behavior and commands of extracting registry keys related to accounts\r\nAfterwards, the threat actor deletes their account and adds the registry key again using the previously extracted\r\nREG file. By going through this process, the account will not appear in commands and tools that check the\r\naccount list in the system. However, unlike other methods, if the system is rebooted, the ‘Local Users and Groups’\r\nin Computer Management will be able to search the account again, allowing the account status to be checked. \r\nhttps://asec.ahnlab.com/en/85942/\r\nPage 5 of 7\n\nThe account created using the above method cannot be completely hidden. However, the threat actor’s behavior\r\ncan be interpreted as intending to minimize account exposure and maintain persistence.\r\nCategory Subcategory\r\nAccount vertification status\r\nRegistry\r\nbefore re-registration\r\nRegistry\r\nafter re-registering\r\nControl Panel User Account O X\r\nComputer\r\nManagement\r\nLocal Users and Groups O X\r\nCommand\r\nprompt (cmd)\r\nnet user command X X\r\nPowerShell Get-LocalUser command O O\r\nWMIC useraccount command O O\r\nRegistry\r\neditor\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\\r\nMicrosoft\\Windows\r\nX X\r\nHKEY_LOCAL_MACHINE\\SAM\\SAM\\\r\nDomains\\Account\\Users\r\nO O\r\nTable 3. Comparison of the methods to check the account list and whether the account can be checked before and\r\nafter reboot\r\nMD5\r\nb500a8ffd4907a1dfda985683f1de1df\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/85942/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/85942/\r\nhttps://asec.ahnlab.com/en/85942/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/85942/" ], "report_names": [ "85942" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775441446, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37d087169d2bd363bc461552f900cf1b1f854864.pdf", "text": "https://archive.orkl.eu/37d087169d2bd363bc461552f900cf1b1f854864.txt", "img": "https://archive.orkl.eu/37d087169d2bd363bc461552f900cf1b1f854864.jpg" } }