As a result, Windows grants administrative privileges to the account.
Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt.
This made the account invisible in regular listings but still accessible in the SAM registry.
The attackers then carried out RID hijacking to escalate the accounts privileges to the administrator level.
The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking.
To reduce the risk of RID hijacking, system administrators should implement proactive measures such as:
Read More
source: www.techworm.net
