|Permissions Required||Administrator, SYSTEM|
|Data Sources||API monitoring, Authentication logs, Windows event logs|
|Contributors||Vincent Le Toux|
The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens.1 An account can hold additional SIDs in the SID-History Active Directory attribute2, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
Adversaries may use this mechanism for privilege escalation. With Domain Administrator (or equivalent) rights, harvested or well-known SID values3 may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.
MISC::AddSidmodule can appended any SID or user/group account to a user's SID-History.4 Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.54
Clean up SID-History attributes after legitimate account migration is complete.
Apply SID Filtering to domain trusts to exclude SID-History from requests to access domain resources (
netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:yes6 on the domain controller). Domain SID Filtering is disabled by default.
Apply SID Filtering to forest trusts to exclude SID-History from request to access forest resources (
netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /EnableSIDHistory:no6 on the domain controller). Forest SID Filtering is active by default, but may block child domains from transitively accessesing the forest trust.
Ensure SID Filter Quarantining is enabled on trusted external domains (
netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine6 on the domain controller) to ensure authentication requests only include SIDs from that domain. SID Filter Quarantining is automatically enabled on all created external trusts using Server 2003 or later domain controllers.78
Monitor Windows API calls to the
- Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.
- Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.
- Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.
- Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.
- Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.
- Microsoft. (2009, January 9). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.
- Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.
- Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.
- Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.