Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-20 | Use of External Systems | Protects | T1134.005 | SID-History Injection | |
AC-3 | Access Enforcement | Protects | T1134.005 | SID-History Injection | |
AC-4 | Information Flow Enforcement | Protects | T1134.005 | SID-History Injection | |
AC-5 | Separation of Duties | Protects | T1134.005 | SID-History Injection | |
AC-6 | Least Privilege | Protects | T1134.005 | SID-History Injection | |
CM-2 | Baseline Configuration | Protects | T1134.005 | SID-History Injection | |
CM-6 | Configuration Settings | Protects | T1134.005 | SID-History Injection | |
SA-11 | Developer Testing and Evaluation | Protects | T1134.005 | SID-History Injection | |
SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1134.005 | SID-History Injection | |
SA-4 | Acquisition Process | Protects | T1134.005 | SID-History Injection | |
SA-8 | Security and Privacy Engineering Principles | Protects | T1134.005 | SID-History Injection | |
SC-3 | Security Function Isolation | Protects | T1134.005 | SID-History Injection |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Use of stolen creds | Use of stolen authentication credentials (including credential stuffing) | related-to | T1134.005 | Access Token Manipulation: SID-History Injection |