T1134.005 SID-History Injection
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. 1 An account can hold additional SIDs in the SID-History Active Directory attribute 2, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values 3 may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
| Item | Value | 
|---|---|
| ID | T1134.005 | 
| Sub-techniques | T1134.001, T1134.002, T1134.003, T1134.004, T1134.005 | 
| Tactics | TA0005, TA0004 | 
| Platforms | Windows | 
| Permissions required | Administrator, SYSTEM | 
| Version | 1.0 | 
| Created | 18 February 2020 | 
| Last Modified | 09 February 2021 | 
Procedure Examples
| ID | Name | Description | 
|---|---|---|
| S0363 | Empire | Empire can add a SID-History to a user if on a domain controller.12 | 
| S0002 | Mimikatz | Mimikatz‘s MISC::AddSidmodule can appended any SID or user/group account to a user’s SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.1110 | 
Mitigations
| ID | Mitigation | Description | 
|---|---|---|
| M1015 | Active Directory Configuration | Clean up SID-History attributes after legitimate account migration is complete. | 
Detection
| ID | Data Source | Data Component | 
|---|---|---|
| DS0026 | Active Directory | Active Directory Object Modification | 
| DS0009 | Process | OS API Execution | 
| DS0002 | User Account | User Account Metadata | 
References
- 
Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017. ↩ 
- 
Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017. ↩ 
- 
Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017. ↩ 
- 
Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017. ↩ 
- 
Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017. ↩ 
- 
Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017. ↩ 
- 
Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017. ↩ 
- 
Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017. ↩ 
- 
Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017. ↩ 
- 
Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017. ↩ 
- 
Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015. ↩ 
- 
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩