Access Token Manipulation: SID-History Injection
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens.  An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values  may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
|M1015||Active Directory Configuration||
Clean up SID-History attributes after legitimate account migration is complete.
Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e preventing the trusted domain from claiming a user has membership in groups outside of the domain).
SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers.   However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.
SID Filtering can be applied by: 
Examine data in user’s SID-History attributes using the PowerShell
Get-ADUser cmdlet , especially users who have SID-History values from the same domain.  Also monitor account management events on Domain Controllers for successful and failed changes to SID-History.  
Monitor for Windows API calls to the
DsAddSidHistory function. 
- Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.
- Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.
- Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.
- Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.
- Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.
- Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.
- Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.
- Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.
- Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.