Identity and privilege management is a core pillar of modern cybersecurity. Gartner predicts that by 2025 more than 70% of security breaches will be related to credential abuse or poorly managed privileged access. That’s a staggering risk—one that organizations need to tackle head-on.
That’s where the Four Rights to Secure Identity Privileges come in. This framework provides a clear, structured way to protect both human and machine identities.
The four principles are:
Right Identity
Right Reason
Right Access
Right Time
These principles enforce the implementation of strict controls while keeping operations running smoothly. Let’s break them down.
1. Right Identity: Making Sure the Right Person (or Machine) Has Access
This principle ensures that only verified and trustworthy identities—whether human users or machine accounts like APIs and IoT devices—can access critical systems and resources.
The Challenge: False, duplicate, or poorly managed identities pose a significant risk. According to Gartner, 25% of organizations struggle to maintain an accurate inventory of identities.The Solution: Use Identity Governance, Access Management, and Multi-Factor Authentication (MFA) to continuously verify and manage identities.
2. Right Reason: Making Sure Access is Justified
Even if the identity is trustworthy, validating the reason for access is essential. This principle reinforces that no resource should be accessed without a clear and legitimate justification.
The Challenge: Unnecessary access to critical data is one of the most common causes of information leaks. Gartner reports that organizations that don’t implement purpose-based governance see 40% more compliance violations.The Solution: Implement approval workflows and Just-In-Time Access policies to limit access based on actual business needs.
3. Right Access: Making Sure Privileges are Granted at the Correct Level
This principle ensures users only get the access they need—nothing more. Overprovisioned accounts create massive security risks and increase potential damage in the event of a breach.
The Challenge: Many companies still rely on manual provisioning, which leads to mistakes and granting access beyond what is necessary.
The Solution: Adopt Least Privilege Access and automate access management to consistently reduce unnecessary privileges.
4. Right Time: Making Sure Access is Temporary
Timing matters when it comes to access. Privileges should only be active when needed and removed once they’re no longer required—reducing risk and eliminating unnecessary permanent access.
The Challenge: Many organizations fail to revoke access after projects end or employees leave. Gartner estimates that 60% of human and machine identities have active permissions beyond the required time.The Solution: Implement Just in Time Access tools, continuous monitoring, and Privileged Access Management (PAM) systems that automatically revoke expired access.
Securing Both Human and Machine Identities
With the rise of automation, machine identities have grown exponentially. APIs, cloud workloads, and IoT devices often have more access than human users. Applying the Four Rights to both keeps security strong in a hybrid environment.
For Human Identities: Focus on robust authentication, periodic privilege reviews, and security awareness training.
For Machine Identities: Use certificates, rotating API keys, and continuous behavior monitoring to track access.
Conclusion
The Four Rights to Secure Identity Privileges aren’t just a cybersecurity best practice—they’re a necessity. Organizations that follow these principles reduce risk, stay compliant, and create a more secure and efficient IT environment.
By applying these controls, you can strike the right balance between security, performance, and peace of mind—knowing that both human and machine identities are managed responsibly.
senhasegura PAM enforces the Four Rights by securing identities, automating access controls, and eliminating excessive privileges. With just-in-time access, real-time monitoring, and automated credential management, we help organizations reduce risk, maintain compliance, and streamline security operations.
Get a firsthand look at how senhasegura protects your most critical assets—see the solution in action.
About Segura® Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Deploying a security tool at any company is not straightforward. It’s a balancing act that requires the right combination of product stability, technical integrations, skilled personnel on both sides, and many other variables. This becomes increasingly more challenging if you are a large enterprise customer.
These are just a few of the challenges that can come up:
1. Customization and Integration Requirements
Tailored Needs
Each organization has unique security requirements, so off-the-shelf tools often need heavy customization to meet specific needs. Enterprises can have several pre-existing security tools and general applications in both cloud and hybrid environments, making it necessary to integrate new incoming tools with these existing SIEM systems, firewalls, VPNs, and more. For example, part of this integration could be setting up SSL Inspection bypasses for certain applications or changing computer networking paths so that they don’t break a VPN.
2. Resource and Expertise Constraints
Limited Security Personnel
Legacy systems can be complex to deploy and manage on an ongoing basis and, therefore, require a dedicated team. Not all organizations can afford or have the existing team hierarchy to support this. This can make large-scale deployments, especially in enterprises with thousands of employees, expensive from a time and cost perspective. Since most legacy tools are too complex, organizations must invest in dedicated teams around the globe to maintain them or hire expensive third-party services to run the deployment.
3. Maintenance and Continuous Updating
Frequent Updates
Cybersecurity tools require regular updates to stay effective against external threats and meet internal needs. Manually coordinating these with the company through phased deployments, auto upgrades, and uploads into tools like InTune can be tough and time-consuming. Within the tool itself, slow feedback on configurations can drastically slow down deployments. These configurations can include things like policy updates. Legacy tools have a polling mechanism that takes 30 minutes to an hour to pull the latest policy down from the cloud. This means longer wait times for updates to take effect.
4. Re-work when moving from POC to Production
Non-Production Trials
Most cybersecurity POC environments are shut down after the trial. After purchase, the customer receives a completely fresh production tenant to be re-configured to fit the environment. It can be frustrating, as all work to date is thrown away, including SSO configs, policies, and more.
How does dope.security handle these challenges?
dope.security enabled a Fortune 100 customer to deploy the dope agent at an average of 3,000 devices per week and grow from 900 devices to over 18,000 devices in a matter of weeks by focusing on four key areas.
1. Product Stability
dope.security has built an on-device SSL proxy that performs all SWG capabilities on the user’s laptop—URL Filtering, Cloud App Controls, SSL Inspection, and more. This refreshed architecture, which removes the need for backhauling data to a remote data center, makes dope.swg the most reliable and stable proxy available regardless of the state, country, or office you’re in. The Fly-Direct Architecture also makes policy configurations very stable, consistent, and fast, which is critical during deployments. Updating policies in real-time at the individual and group levels makes the entire rollout process much more efficient and quicker. It also ensures the right security policies are applied to the correct individuals instantly.
2. Deployment Experience
Deploying the dope.security agent is extremely easy whether you’re installing 200 or 20,000 devices because there is no manual configuration or customization a customer has to make before installing.
In this specific case, the customer easily deployed InTune silently across their organization. Because no extra configuration was required after the agent was installed, the customer instantly blocked malicious websites and traffic across their deployed devices. Our clear guide to InTune deployments clarified any frequently asked questions.
The entire process from the initial free production trial was one click without excessive help from the dope security team. After purchase, the same trial was converted into a paid account—no additional configuration was required.
3. Global Technical Support Team
First, dope.security focuses on building strong relationships with the customer implementation team. This means having regular check-ins either through status calls, dedicated Slack channels, or email. Regular check-ins ensure that no bug or deployment hurdle goes unnoticed.
Second, the dope.security technical team consists only of product engineers who have in-depth knowledge of the product and how it works. There are no generic Tier 1 support agents whose only job is to escalate a customer to the next tier for assistance. This means the technical support team can answer any question in real time, dramatically increasing the productivity and speed of resolving issues.
4. SSL Error Notifications
A very common issue with proxy deployments is errors due to SSL Inspections breaking applications. Typically, the process to fix this is to implement a bypass rule. But with most SWG providers, this is extremely manual and not straightforward.
dope.security simplified this and built an SSL notification feature. The dope agent identifies and reports when it has broken traffic due to SSL cert pinning. It allows the admin to view these SSL errors in the dope console and easily create either application or domain bypasses in a few clicks. This feature is unique to dope.security, enabling deployments to move much quicker as admins don’t need to spend time manually hunting for why specific applications are breaking and their associated domains, URLs, or extensions to create bypass lists. dope.security automatically identifies, reports, and provides the data you need directly in the console.
dope.security enabled a Fortune 100 customer to deploy the dope agent at an average of 3,000 devices per week and grow from 900 devices to over 18,000 devices in a matter of weeks
This Fortune 100 customer rollout is just one case that shows how dope.security has redefined cybersecurity deployments. It no longer needs to be an extremely long, arduous process that requires tons of resources, time, and effort. From initial onboarding to ongoing maintenance of the deployment, dope.security makes everything much simpler through product stability, understanding customer needs, and providing dedicated, knowledgeable support.
A comprehensive security solution designed to protect individuals and organizations from various cyber threats and vulnerabilities. With a focus on proactive defense and advanced technologies, Dope Security offers a range of features and services to safeguard sensitive data, systems, and networks.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
“That’s the solution!” is how an IT solution should ideally feel. It should solve an existing problem, lead to process optimization or ensure efficient target achievement.
On the technical side, this includes the following:
software
hardware
data
infrastructure, and
security mechanisms.
On a qualitative level, these factors include:
consulting
integration
support, and
other services, as necessary.
Examples include ERP systems, cloud services, IT security solutions, databases, communication platforms and automation tools.
IT solutions: Definition
An IT solution is a comprehensive approach that goes beyond the mere application of software. It combines components such as hardware, infrastructure, services, integration, support or consulting. It is often individually tailored to a company in order to meet its specific needs.
An IT solution is different from software because it is a complex concept. It may comprise several software products and other elements.
What types of problems are solved?
In the corporate world, there are countless problems and opportunities to use information technology in a meaningful way. It is important that an IT solution brings peace of mind to business owners.
IT solutions: Examples
The following examples use specific categories to illustrate the types of IT solutions available. Each type addresses specific requirements in companies or organizations.
Example #1: Information centralization
These include solutions such as ERP, CRM and HR systems. These are comprehensive, scalable IT solutions that meet the complex requirements of large companies. They integrate various systems and processes, such as financial management, customer relationship management (CRM) or human resources (HR). One of the aims is to manage data centrally and optimize company-wide processes.
Example #2: Data management
Data management solutions help companies organize, store, protect and analyse data effectively and purposefully. In the best case scenario, better decisions can be made based on this and processes can be sensibly revised.
Example #3: Increased IT security
Protecting systems and networks from threats such as hacker attacks or malware is of fundamental importance. The spectrum ranges from firewalls, encryption, analysis and incident identification to comprehensive protection of sensitive company data through an Information Security Management System (ISMS).
Example #4: Communication and collaboration
In the modern corporate world, business has changed. Remote work and large geographical distances are now the norm. Team members must communicate with each other and external parties in a targeted manner.
By using the right communication and collaboration platforms a strong culture is developed. This also improves the quality of collaboration.
Example #5: Automation and AI
Artificial intelligence (AI) and process automation lead to better outputs. For example, companies benefit from AI chatbots for support or use machine learning for better workflows. The list of benefits of artificial intelligence is long. Related solutions should always should always focus on the practical benefits.
Example #6: E-commerce
An e-commerce solution supports companies in setting up and operating online stores. It includes functions such as product management, payment processing, ordering processes and marketing tools. An important goal is to offer customers a seamless shopping experience.
Example #7: Industry-specific solutions
An industry-specific IT solution optimizes processes according to specific requirements. Examples of this include electronic patient records in the healthcare sector or trading systems in the financial sector. In most cases, the aim is to be competitive within one’s own industry or to offer clients a good service.
Application in large companies
Large companies (enterprises) usually have complex IT environments. Each department usually has its own requirements, prerequisites and success metrics.
Needless to say, solutions must cover a wide range of application scenarios. Selected systems must have a wide range of functionalities, be highly scalable and integrate easily.
Examples of enterprise solutions include:
ERP systems – for managing business processes
CRM tools for customer relationship management or
Data analysis solutions such as business intelligence platforms.
Use in small and medium-sized enterprises (SMEs)
Large companies tend to focus on goals such as process optimization, greater security or staying ahead of the competition. In contrast, small and medium-sized enterprises are increasingly focusing on factors such as:
cost savings,
process digitalization and
diving growth.
These require effective solutions that deliver as much performance as possible at the lowest possible cost. They must also be scalable to support the business as it grows.
Typical IT solutions for SMEs may include:
Cloud-based business software such as Microsoft 365,
Collaboration tools such as Slack or Trello, or
CRM systems such as HubSpot.
However, IT security also plays an important role here. And, depending on their model, e-commerce solutions, such as web store services, may be practical.
Customized IT solutions
It’s like clothing: Tailor-made fits best.
IT service providers can develop options that are individually tailored to specific company needs. These are highly beneficial when there are unique business processes for which a standard offering is not sufficient. For example, automation of a unique business process may be developed individually.
Of course, a cost-benefit analysis would reveal whether this is possible. In commercial terms, the ROI must be calculated before such a project begins.
Sometimes, these are created in-house. These can be helpful as an interim answer. This gives room for advance planning that will support the longer-term business goals.
Tip: Since customized solutions also mean a high cost factor, it is advisable to choose an IT solution that can be easily adapted to individual needs and requirements.
What does your business need today?
When investing in a new solution, it should deliver on an overarching benefit. Examples may be better service provision, reliable security or concrete time savings.
Below are some key benefits to consider.
1. Greater efficiency
Companies strive for productive and effective work. They also aim for the best possible results with the least possible effort – efficiency. In concrete terms, optimizing or automating processes can save a lot of time, money and resources. At the same time, optimized processes lead to better results.
2. Increased customer satisfaction
The customer is king. Companies depend on the loyalty of their customers. By using the right tools, processes and training customer satisfaction increases.
An example of using a solution would be improving communication or enabling personalized services and quick responses to inquiries. A self-service portal, for example, can guide customers quickly to the answers they are looking for.
3. Competitive advantage
The right IT solution helps companies gain valuable advantages over the competition. For example, automated processes or targeted workflow management can lead to faster and more cost-effective work. AI and IoT technologies also make it possible to develop new products, services or business models,
4. More security and compliance
The right IT solutions lead to better security in a variety of ways. Examples include data encryption, access controls, backups and restores.
Professional device management – the proper administration of various devices – also provides effective protection against unauthorized access or data loss.
In addition, the right IT solutions support compliance with legal requirements, which is particularly important in highly regulated industries.
5. Better decision-making
IT can pave the way for clarity and documentation of data that drives better decisions.
Data can “nudge” targeted user behavior. Applications such as AI-based summaries can provide a quick overview of complex processes. This means a quick decision about the next step can be made.
Remember: the cost-benefit ratio must be right
IT solutions offer many other solutions too. Examples include an optimized user experience, 24/7 service and cost savings through proven IT solution providers.
But, it is crucial that the cost-benefit ratio is high. Companies should have clarity on how they will benefit from selected solutions. Where this can vary greatly from company to company, steps such as a company-specific selection makes sense.
Solving customer problems
OTRS offers customized IT solutions that can be used for many different purposes across all industries. Through good adaptability, fast implementation and reliable local support OTRS customers solve a vast number of operational problems.
If you have a problem, you should look for a suitable solution as quickly as possible – and find it. This is no different in IT. The subtle difference is that IT often forms the basis for a company’s success.
It is important to point out the difference between pure software and an IT solution. A solution solves a business problem by using software, services, processes and more.
Users benefit from the focus on finding benefit-oriented answers to their problems. This includes options that improve upon processes and workflows, security and data-driven – decisions.
Find out how you can best benefit from OTRS IT solutions.
About OTRS
OTRS (originally Open-Source Ticket Request System) is a service management suite. The suite contains an agent portal, admin dashboard and customer portal. In the agent portal, teams process tickets and requests from customers (internal or external). There are various ways in which this information, as well as customer and related data can be viewed. As the name implies, the admin dashboard allows system administrators to manage the system: Options are many, but include roles and groups, process automation, channel integration, and CMDB/database options. The third component, the customer portal, is much like a customizable webpage where information can be shared with customers and requests can be tracked on the customer side.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Researchers at AhnLab Security Intelligence Center (ASEC) recently published a report on the Andariel threat group, a DPRK state-sponsored APT active for over a decade, that has been leveraging RID hijacking and user account concealment techniques in its operations to stealthily maintain privileged access to compromised Windows systems.
This blog post explores hands-on how RID hijacking and hidden backdoor accounts work in Andariel’s attack chain, and how Graylog Security can be used to detect and analyze similar activity in an organization’s network.
What is RID Hijacking?
The RID, or Relative Identifier, uniquely identifies a user in Windows as part of its Security Identifier (SID). When a user logs on, the system retrieves the SID for that user from the local Security Account Manager (SAM) database and places it in the user’s access token to identify it in subsequent interactions. The local Administrator account RID is always 500, and standard user RIDs usually start at 1001.
RID hijacking is a technique discovered by Sebastian Castro that involves modifying the RID value of a low-privileged account to match the value of a privileged account such as local Administrator by manipulating the SAM database. As a result, the operating system mistakenly grants elevated privileges to the originally restricted account, allowing the attacker to execute privileged commands as that user.
This technique is particularly stealthy because the activity in event logs will still be associated with the low-privilege user and there is often less scrutiny applied to standard accounts.
However, there is a caveat to the technique – it requires SYSTEM level privileges to access and modify user information in the SAM, which resides in a protected registry key.
Attack Demonstration
According to the report from AhnLab, the threat actor’s RID hijacking process consists of the following stages. We’ll use this model as we walk through the attack in a lab environment.
The RID Hijacking attack process referenced from AhnLab
Our lab consists of a Windows 10 Enterprise system with auditing enabled for process execution (command line included), account logon and management, registry, and SAM access. Script block logging is also turned on.
System, Security, and PowerShell/Operational event logs are sent via Winlogbeat to a Graylog Enterprise 6.0.1 instance with Illuminate 6.1 installed to enable parsing and enrichment.
Stage 1: SYSTEM Privilege Escalation
We’ll assume initial access to the Windows system and start off with an elevated admin user. However, in order to access the SAM registry hive, we need SYSTEM. To do this, we can use exploits like JuicyPotato or tools like PsExec, a Microsoft Sysinternals tool often abused by adversaries for lateral movement and privilege escalation. We’ll spawn a PowerShell session using PsExec with the -s argument:
PsExec.exe -s -i powershell.exe
The output of whoami /user in the shell confirms that we’re now running as SYSTEM.
In Graylog, we can see a common indicator of Sysinternals PsExec activity, Event ID 7045 Remote Service Creation with the default service name PSEXESVC. Following the subsequent events (ordered bottom to top) we see our whoami command executed as Local System.
Stage 2: Create User Account
Having obtained SYSTEM, the adversary proceeded to create a hidden local user account and add it to privileged groups. These are the commands used:
net user admin$ admin@123 /add
net localgroup “Remote Desktop Users” “admin$” /add
net localgroup “Administrators” “admin$” /add
The trick to hiding the user here is the $ at the end of the username. It’s an old school technique that imitates computer accounts which are hidden from some user listing options – note that the newly created user isn’t shown in the output of net user.
In Graylog we see the commands as event ID 4688 labeled as “process started”, and additional labels for 4720 “account created” and 4732 “group member added”.
Stage 3: Modify the RID Value in Registry
Before demonstrating the RID hijack, let’s see what the current RID value and permissions are for the user admin$. We’ll open a separate command prompt and spawn a shell as that user using runas:
runas /user:admin$ cmd
Then, execute whoami commands in that shell. As shown, the user’s current RID is 1009 and its privileges are limited as expected for a standard user.
Well, as the chefs say, elevate it!
Back to the PowerShell session as SYSTEM, we can run regedit.exe to open the GUI registry editor in the same privilege context.
User information is stored in the SAM hive in unique subkeys under:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
Each subkey corresponds to an account where the key name is the hexadecimal representation of the decimal user RID. The value 1009 for admin$ translates to 0x3F1, so we’re looking at the key 000003F1.
Within key 000003F1 the actual RID can be found in the value F which contains binary data. As highlighted, the RID value is located at offset 30 and stored in little-endian format.
To execute the hijack, we need to overwrite this value with the local Administrator RID of 500 (0x1F4) converted to little-endian as shown below.
With that modification, admin$ should now be given the elevated RID 500 upon logon. If we open a new command prompt as the user and run whoami /user, we see the new hijacked RID, though the rest of the SID stays unchanged. Running whoami /priv shows that the user has been granted admin privileges.
We can hunt in Graylog for activity associated with non-Administrator accounts that have the RID 500 using the following query:
NOT user_name:administrator AND user_id:/.*\-500/
This query might result in false positives if the administrator account is renamed. We can further specify it to target both RID hijacking and user accounts mimicking machine names.
user_name:/.*\$/ AND user_id:/.*\-500/
Custom and Open-source Tooling
AhnLab Report
Manually altering SAM user information in the registry editor is good for demonstration, but it isn’t necessarily what threat actors are doing.
The AhnLab report details that Andariel utilized two distinct custom tools to automate the RID hijacking attack process. One of the tools named CreateHiddenAccount is open-source and available on GitHub.
AhnLab breaks down the differences between the tools quite well in its report:
Differences in tool behavior referenced from AhnLab
CreateHiddenAccount is particularly interesting since it can work without SYSTEM privileges. It still needs access to the SAM registry key, so it employs the Windows CLI program regini to edit the registry through a .ini file. The file contains parameters to open up the SAM registry key access permissions to allow modification with administrator privileges.
Let’s execute the CreateHiddenAccount tool in a fresh Graylog lab to see what events are produced. First, download the UPX packed variant to the Windows host.
The command line arguments require the hidden user to create (the $ is appended automatically) and the target user whose RID will be cloned. Here, we’re again creating the user admin$ and targeting the local admin RID.
The tool produces some interesting events to analyze in Graylog. Directly after execution we see regini.exe being used to modify the access control rules of the SAM registry key.
Following that is a flurry of user enumeration events and account creation for admin$. Interestingly, we see the tool deleting the hidden user then silently importing a .reg file using regedit. What’s happening here is that the tool already populated the import file with information from the user registry key before it was deleted, and modified the RID in the file to match Administrator’s. This is an additional step to hide the created user as once the registry key is restored, the user becomes hidden from additional user list interfaces.
Those with their detection hat on might notice that the filenames are notably unique and static throughout the tool execution. These names are actually hardcoded in the source code, seen in the function below.
This presents an opportunity to detect CreateHiddenAccount execution via child process command lines where the unique filenames are present. Note though that this is considered a brittle detection – while it can reliably identify this particular version of CreateHiddenAccount unmodified, it is trivial for the adversary to change these filenames in the source before compiling to an executable.
Nonetheless, it’s useful in a threat hunt or to detect the vanilla tool. We can use the following query:
process_command_line:(/.*N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8\.ini/ OR /.*sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko\.reg/)
The tool by itself doesn’t do much in the way of behavior obfuscation or sandbox evasion. Querying its hash on VirusTotal returns some damning results.
Further Attempts to Hide Users
In addition to hiding the backdoor user account with a username ending in $, the custom tool used by Andariel attempts to further conceal the account through deletion and registry import operations. We analyzed a similar feature in CreateHiddenAccount, but now we’ll carry out the technique separately and see what can be gleaned from the logs.
As demonstrated below, we repeat the steps of SYSTEM privilege escalation and hidden user account creation, but this time we run a PowerShell download cradle to fetch and execute in-memory a RID hijacking script from GitHub. This leaves us with the account given administrator privileges without further action to conceal it.
D) Restore the user by importing the registry files containing the user keys information
reg import names.reg
reg import users.reg
By using this method, admin$ is no longer displayed in Computer Management, at least until a system reboot.
Every step of the execution can be seen in Graylog.
Detections
We’ve provided Sigma rules below to detect the following aspects of the attack chain:
Hidden user account with Administrator RID
RID hijacking via CreateHiddenAccount
Export of SAM users registry keys via reg.exe
With Graylog Security, we can manually add these rules and configure timed search intervals to detect the activity in our log ingest.
The Sigma engine in Graylog provides an option to search the logs using the detector before deployment. This way you can also see the exact search query the rule translates to.
Rule #1
title: Illuminate - Hidden User Account With Administrator RID
id: 531bfab7-d18c-4f51-bae0-64cf38cae3d5
status: experimental
description: Detects special privileges assigned to a hidden account manipulated with admin RID hijacking
references:
- https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04 # Graylog format
tags:
- attack.privilege-escalation
- attack.t1078
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
detection:
selection_event:
EventID: 4672
selection_name:
SubjectUserName|endswith: '$'
selection_rid:
SubjectUserSid|endswith: '-500'
condition: all of selection*
falsepositives:
- Unknown
level: high
Rule #2
title: Illuminate - RID Hijacking Via CreateHiddenAccount
id: 8b8fdf38-4e34-4d7b-bdaa-b3b9920fb80b
status: experimental
description: Detects the open-source tool CreateHiddenAccount (unmodified) used by Andariel threat group for RID hijacking
references:
- https://github.com/wgpsec/CreateHiddenAccount/
- https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04 # Graylog format
tags:
- attack.privilege-escalation
- attack.t1078
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8' # regini .N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8.ini
- 'sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko' # regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg
condition: selection
falsepositives:
- Unknown
level: high
Rule #3
title: Illuminate - Export of SAM Users Registry Keys Via Reg.exe
id: 0709625a-4703-47ba-acfd-3beaa4d0f1dc
status: experimental
description: Detects export of SAM user account information via reg export
references:
- https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04 # Graylog format
tags:
- attack.credential_access
- attack.t1003.002
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'export'
- 'hklm\sam\sam\domains\account\users\'
condition: selection
falsepositives:
- Administrative scripts or forensic investigations
level: high
Graylog Detections
Graylog has provided the Sigma Rules here to share threat detection intelligence with those not running Graylog Security. Note that Graylog Security customers receive a content feed including Sigma Rules, Anomaly Detectors, and Dashboards, and other content to meet various security use cases. For more about Sigma Rules, see our recent blog “The Ultimate Guide to Sigma Rules”
About Graylog At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Migrating away from VMware can seem overwhelming, with fears of complexity and downtime creating uncertainty about where to start and how to proceed. But it doesn’t have to be that way. In our latest video, Scale Computing CEO Jeff Ready explains how our entire team has spent years perfecting the migration process, ensuring that customers enjoy a smoother, simpler path to IT modernization.
For many organizations, the first hurdle in considering a VMware alternative is the migration process itself. Will it integrate with our existing infrastructure and tools? What about the ecosystem of backup and security software tied to VMware? As Jeff explains, Scale Computing has been tackling these challenges for years, long before Broadcom’s acquisition of VMware. Armed with the right tools and the infrastructure experts at the ready to ensure a seamless and efficient transition, we’re here to help guide you through every step of your migration journey.
Scale Computing’s tailored approach ensures that each migration is optimized for each customer’s unique environment. Jeff further explains how Scale Computing leverages a diverse set of tools and methodologies across a broad spectrum of use cases to successfully migrate practically every type of application from VMware to the SC//Platform. The collective expertise of our team ensures that our customers and partners can be fully confident that their workloads will transition smoothly and that their IT systems will remain resilient both during and after the move.
However, what really makes Scale Computing stand out from the crowd isn’t just our migration expertise, but SC//Platform itself. Unlike VMware, which was developed decades ago, Scale Computing continues to actively invest in the latest groundbreaking automation and AI technologies into its solutions. As one of the top five VMware alternatives recommended by DCIG, Scale Computing offers not just a replacement but a significant upgrade that enables organizations to reduce complexity, enhance performance, and future-proof their IT operations.
If you’ve been considering moving away from VMware but are wary of the potential complications, it’s time to rethink what’s possible. Watch the full video to hear Jeff explain how Scale Computing delivers a seamless, stress-free migration experience and why we’re recognized as a leader in VMware alternatives.
About Scale Computing Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Scale Computing HC3 software eliminates the need for traditional virtualization software, disaster recovery software, servers, and shared storage, replacing these with a fully integrated, highly available system for running applications. Using patented HyperCore™ technology, the HC3 self-healing platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime. When ease-of-use, high availability, and TCO matter, Scale Computing HC3 is the ideal infrastructure platform. Read what our customers have to say on Gartner Peer Insights, Spiceworks, TechValidate and TrustRadius.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
