Description
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
Platforms
Mitigations (1)
Active Directory ConfigurationM1015
Clean up SID-History attributes after legitimate account migration is complete.
Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e preventing the tru
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002)'s <code>MISC::AddSid</code> module can append any SID or user/group account to a user's SID-Histor... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can add a SID-History to a user if on a domain controller.(Citation: Github PowerShell Empire) |
References
- Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.
- Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.
- Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.
Frequently Asked Questions
What is T1134.005 (SID-History Injection)?
T1134.005 is a MITRE ATT&CK technique named 'SID-History Injection'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are u...
How can T1134.005 be detected?
Detection of T1134.005 (SID-History Injection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1134.005?
There are 1 documented mitigations for T1134.005. Key mitigations include: Active Directory Configuration.
Which threat groups use T1134.005?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.