T1134.005 SID-History Injection Mappings

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-20 Use of External Systems Protects T1134.005 SID-History Injection
AC-3 Access Enforcement Protects T1134.005 SID-History Injection
AC-4 Information Flow Enforcement Protects T1134.005 SID-History Injection
AC-5 Separation of Duties Protects T1134.005 SID-History Injection
AC-6 Least Privilege Protects T1134.005 SID-History Injection
CM-2 Baseline Configuration Protects T1134.005 SID-History Injection
CM-6 Configuration Settings Protects T1134.005 SID-History Injection
SA-11 Developer Testing and Evaluation Protects T1134.005 SID-History Injection
SA-17 Developer Security and Privacy Architecture and Design Protects T1134.005 SID-History Injection
SA-4 Acquisition Process Protects T1134.005 SID-History Injection
SA-8 Security and Privacy Engineering Principles Protects T1134.005 SID-History Injection
SC-3 Security Function Isolation Protects T1134.005 SID-History Injection
azure_sentinel Azure Sentinel technique_scores T1134.005 SID-History Injection
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
References
    azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1134.005 SID-History Injection
    Comments
    This control's "Remove unsecure SID history attributes from entities" recommendation promotes running the "Unsecure SID history attributes" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial.
    References