1. Home
  2. ATT&CK Techniques
  3. T1134.005 SID-History Injection

T1134.005 SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-01.01 Identity and credential management Mitigates T1134.005 SID-History Injection
Comments
This diagnostic statement protects against SID-History Injection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    IA-13 Identity Providers and Authorization Servers mitigates T1134.005 SID-History Injection
    CM-06 Configuration Settings mitigates T1134.005 SID-History Injection
    SA-17 Developer Security and Privacy Architecture and Design mitigates T1134.005 SID-History Injection
    SA-04 Acquisition Process mitigates T1134.005 SID-History Injection
    SC-03 Security Function Isolation mitigates T1134.005 SID-History Injection
    AC-20 Use of External Systems mitigates T1134.005 SID-History Injection
    CM-02 Baseline Configuration mitigates T1134.005 SID-History Injection
    SA-11 Developer Testing and Evaluation mitigates T1134.005 SID-History Injection
    SA-08 Security and Privacy Engineering Principles mitigates T1134.005 SID-History Injection
    AC-03 Access Enforcement mitigates T1134.005 SID-History Injection
    AC-04 Information Flow Enforcement mitigates T1134.005 SID-History Injection
    AC-05 Separation of Duties mitigates T1134.005 SID-History Injection
    AC-06 Least Privilege mitigates T1134.005 SID-History Injection

    Azure Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    microsoft_sentinel Microsoft Sentinel technique_scores T1134.005 SID-History Injection
    Comments
    The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
    References
    1. https://learn.microsoft.com/en-us/azure/sentinel/overview
    2. https://learn.microsoft.com/en-us/azure/sentinel/hunting

    GCP Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    google_secops Google Security Operations technique_scores T1134.005 SID-History Injection
    Comments
    Google Security Ops is able to trigger an alert based on successful and failed changes to SID-History. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/windows/addition_of_sid_history_to_active_directory_object.yaral
    References
    1. ['https://cloud.google.com/security/products/security-operations'
    2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
    3. 'https://github.com/chronicle/detection-rules']

    M365 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    DEF-SECA-E3 Security Alerts Technique Scores T1134.005 SID-History Injection
    Comments
    Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
    References
    1. https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts
    EID-IDSS-E3 Identity Secure Score Technique Scores T1134.005 SID-History Injection
    Comments
    This control's "Remove unsecure SID history attributes from entities" recommendation promotes running the "Unsecure SID history attributes" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial.
    References