AHNLAB Security Intelligence Center (asec) reported about the activity of the Andariel group, which utilizes the method of Rid Hijacking. Rid Hijacking is made possible due to vulnerabilities in the management records structure and lack of control over SID changes in Windows systems. The operating system relies on SID to determine privileges, and if the SID structure is altered, the system may not be able to detect falsification.
To protect against Rid Hijacking, monitoring the integrity of accounts is essential. Tools should be used to track changes in SID and RID, and system events should be monitored to detect any suspicious activities. It is also important to minimize access rights by following the principle of least privilege for all accounts and restricting access to accounts with the ability to alter other accounts’ attributes.
Utilizing modern protection systems, such as EDR (Endpoint Detection and Response) solutions, can help in identifying and blocking such attacks. It is recommended to regularly update the operating system and install security patches for enhanced security. Audit and control policies should be implemented by enabling security audits to monitor account changes and setting up automatic notifications for any suspicious actions related to account privileges.
Rid Hijacking is a covert technique for elevating privileges that necessitates the attention of security specialists and the implementation of appropriate control measures.