T1134.005 SID-History Injection Mappings

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-20 Use of External Systems Protects T1134.005 SID-History Injection
AC-03 Access Enforcement Protects T1134.005 SID-History Injection
AC-04 Information Flow Enforcement Protects T1134.005 SID-History Injection
AC-05 Separation of Duties Protects T1134.005 SID-History Injection
AC-06 Least Privilege Protects T1134.005 SID-History Injection
CM-02 Baseline Configuration Protects T1134.005 SID-History Injection
CM-06 Configuration Settings Protects T1134.005 SID-History Injection
SA-11 Developer Testing and Evaluation Protects T1134.005 SID-History Injection
SA-17 Developer Security and Privacy Architecture and Design Protects T1134.005 SID-History Injection
SA-04 Acquisition Process Protects T1134.005 SID-History Injection
SA-08 Security and Privacy Engineering Principles Protects T1134.005 SID-History Injection
SC-03 Security Function Isolation Protects T1134.005 SID-History Injection
DEF-SECA-E3 Security Alerts Technique Scores T1134.005 SID-History Injection
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
References