ID | Name |
---|---|
T1134.001 | Token Impersonation/Theft |
T1134.002 | Create Process with Token |
T1134.003 | Make and Impersonate Token |
T1134.004 | Parent PID Spoofing |
T1134.005 | SID-History Injection |
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. [1] An account can hold additional SIDs in the SID-History Active Directory attribute [2], allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values [3] may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
ID | Name | Description |
---|---|---|
S0363 | Empire |
Empire can add a SID-History to a user if on a domain controller.[4] |
S0002 | Mimikatz |
Mimikatz's |
ID | Mitigation | Description |
---|---|---|
M1015 | Active Directory Configuration |
Clean up SID-History attributes after legitimate account migration is complete. Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e preventing the trusted domain from claiming a user has membership in groups outside of the domain). SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. [7] [8] However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources. SID Filtering can be applied by: [9]
|
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0026 | Active Directory | Active Directory Object Modification |
Monitor for changes to account management events on Domain Controllers for successful and failed changes to SID-History. [10] [11] |
DS0009 | Process | OS API Execution |
Monitor for API calls, such as PowerShell's Get-ADUser cmdlet or Windows API DsAddSidHistory function, to examine data in user’s SID-History attributes, especially users who have SID-History values from the same domain. |
DS0002 | User Account | User Account Metadata |
Examine data in user’s SID-History attributes |