# T1134.005 SID-History Injection

-----------------------------------------------------------------------

## Technique Description

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).

## Technique Detection

Examine data in user’s SID-History attributes using the PowerShell <code>Get-ADUser</code> cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)

Monitor for Windows API calls to the <code>DsAddSidHistory</code> function. (Citation: Microsoft DsAddSidHistory)

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Privilege-Escalation

### Platforms:

  * Windows

### Adversary Required Permissions:

  * Administrator

  * SYSTEM

### Data Sources:

  * **Active Directory:** Active Directory Object Modification

  * **User Account:** User Account Metadata

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1134/005)

  * [Microsoft Sid](https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx), Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.

  * [Microsoft Sid-History Attribute](https://msdn.microsoft.com/library/ms679833.aspx), Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.

  * [Microsoft Well Known Sids Jun 2017](https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems), Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.

  * [Microsoft Get-Aduser](https://technet.microsoft.com/library/ee617241.aspx), Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.

  * [Adsecurity Sid History Sept 2015](https://adsecurity.org/?p=1772), Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.

  * [Microsoft Dsaddsidhistory](https://msdn.microsoft.com/library/ms677982.aspx), Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------
### This technique is a duplicate.  Follow the link below to the "Primary Version".
<a href="../Privilege Escalation/T1134.005 Sid-History Injection.ipynb" target="_blank">Primary Version</a>