1. Home
  2. ATT&CK Techniques
  3. T1134.005 SID-History Injection

T1134.005 SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-01.01 Identity and credential management Mitigates T1134.005 SID-History Injection
Comments
This diagnostic statement protects against SID-History Injection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    IA-13 Identity Providers and Authorization Servers mitigates T1134.005 SID-History Injection
    CM-06 Configuration Settings mitigates T1134.005 SID-History Injection
    SA-17 Developer Security and Privacy Architecture and Design mitigates T1134.005 SID-History Injection
    SA-04 Acquisition Process mitigates T1134.005 SID-History Injection
    SC-03 Security Function Isolation mitigates T1134.005 SID-History Injection
    AC-20 Use of External Systems mitigates T1134.005 SID-History Injection
    CM-02 Baseline Configuration mitigates T1134.005 SID-History Injection
    SA-11 Developer Testing and Evaluation mitigates T1134.005 SID-History Injection
    SA-08 Security and Privacy Engineering Principles mitigates T1134.005 SID-History Injection
    AC-03 Access Enforcement mitigates T1134.005 SID-History Injection
    AC-04 Information Flow Enforcement mitigates T1134.005 SID-History Injection
    AC-05 Separation of Duties mitigates T1134.005 SID-History Injection
    AC-06 Least Privilege mitigates T1134.005 SID-History Injection

    GCP Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    google_secops Google Security Operations technique_scores T1134.005 SID-History Injection
    Comments
    Google Security Ops is able to trigger an alert based on successful and failed changes to SID-History. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/windows/addition_of_sid_history_to_active_directory_object.yaral
    References
    1. ['https://cloud.google.com/security/products/security-operations'
    2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
    3. 'https://github.com/chronicle/detection-rules']