Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-20 | Use of External Systems | Protects | T1134.005 | SID-History Injection | |
AC-03 | Access Enforcement | Protects | T1134.005 | SID-History Injection | |
AC-04 | Information Flow Enforcement | Protects | T1134.005 | SID-History Injection | |
AC-05 | Separation of Duties | Protects | T1134.005 | SID-History Injection | |
AC-06 | Least Privilege | Protects | T1134.005 | SID-History Injection | |
CM-02 | Baseline Configuration | Protects | T1134.005 | SID-History Injection | |
CM-06 | Configuration Settings | Protects | T1134.005 | SID-History Injection | |
SA-11 | Developer Testing and Evaluation | Protects | T1134.005 | SID-History Injection | |
SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1134.005 | SID-History Injection | |
SA-04 | Acquisition Process | Protects | T1134.005 | SID-History Injection | |
SA-08 | Security and Privacy Engineering Principles | Protects | T1134.005 | SID-History Injection | |
SC-03 | Security Function Isolation | Protects | T1134.005 | SID-History Injection | |
DEF-SECA-E3 | Security Alerts | Technique Scores | T1134.005 | SID-History Injection |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|