Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-20 | Use of External Systems | Protects | T1134.005 | SID-History Injection | |
AC-3 | Access Enforcement | Protects | T1134.005 | SID-History Injection | |
AC-4 | Information Flow Enforcement | Protects | T1134.005 | SID-History Injection | |
AC-5 | Separation of Duties | Protects | T1134.005 | SID-History Injection | |
AC-6 | Least Privilege | Protects | T1134.005 | SID-History Injection | |
CM-2 | Baseline Configuration | Protects | T1134.005 | SID-History Injection | |
CM-6 | Configuration Settings | Protects | T1134.005 | SID-History Injection | |
SA-11 | Developer Testing and Evaluation | Protects | T1134.005 | SID-History Injection | |
SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1134.005 | SID-History Injection | |
SA-4 | Acquisition Process | Protects | T1134.005 | SID-History Injection | |
SA-8 | Security and Privacy Engineering Principles | Protects | T1134.005 | SID-History Injection | |
SC-3 | Security Function Isolation | Protects | T1134.005 | SID-History Injection | |
azure_sentinel | Azure Sentinel | technique_scores | T1134.005 | SID-History Injection |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
References
|
azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1134.005 | SID-History Injection |
Comments
This control's "Remove unsecure SID history attributes from entities" recommendation promotes running the "Unsecure SID history attributes" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial.
References
|