SID-History Injection

From enterprise
Jump to: navigation, search
SID-History Injection
Technique
ID T1178
Tactic Privilege Escalation
Platform Windows
Permissions Required Administrator, SYSTEM
Data Sources API monitoring, Authentication logs, Windows event logs
Contributors Vincent Le Toux

The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens.1 An account can hold additional SIDs in the SID-History Active Directory attribute2, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

Adversaries may use this mechanism for privilege escalation. With Domain Administrator (or equivalent) rights, harvested or well-known SID values3 may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.

Examples

  • Mimikatz's MISC::AddSid module can appended any SID or user/group account to a user's SID-History.4 Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.54

Mitigation

Clean up SID-History attributes after legitimate account migration is complete.

Apply SID Filtering to domain trusts to exclude SID-History from requests to access domain resources (netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:yes6 on the domain controller). Domain SID Filtering is disabled by default.

Apply SID Filtering to forest trusts to exclude SID-History from request to access forest resources (netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /EnableSIDHistory:no6 on the domain controller). Forest SID Filtering is active by default, but may block child domains from transitively accessesing the forest trust.

Ensure SID Filter Quarantining is enabled on trusted external domains (netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine6 on the domain controller) to ensure authentication requests only include SIDs from that domain. SID Filter Quarantining is automatically enabled on all created external trusts using Server 2003 or later domain controllers.78

Detection

Examine data in user’s SID-History attributes using the PowerShell Get-ADUser Cmdlet9, especially users who have SID-History values from the same domain.10

Monitor Account Management events on Domain Controllers for successful and failed changes to SID-History.10 11

Monitor Windows API calls to the DsAddSidHistory function.11