Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Techniques
  3. Enterprise
  4. Access Token Manipulation
  5. SID-History Injection

Access Token Manipulation: SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens.[1] An account can hold additional SIDs in the SID-History Active Directory attribute[2], allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values[3] may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such asRemote Services,SMB/Windows Admin Shares, orWindows Remote Management.

ID: T1134.005
Sub-technique of: T1134
Platforms: Windows
Contributors: Alain Homewood, Insomnia Security; Vincent Le Toux
Version: 1.1
Created: 18 February 2020
Last Modified: 24 October 2025

Procedure Examples

IDNameDescription
S0363 Empire

Empire can add a SID-History to a user if on a domain controller.[4]

S0002 Mimikatz

Mimikatz'sMISC::AddSid module can append any SID or user/group account to a user's SID-History.Mimikatz also utilizesSID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.[5][6]

Mitigations

IDMitigationDescription
M1015 Active Directory Configuration

Clean up SID-History attributes after legitimate account migration is complete.

Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e preventing the trusted domain from claiming a user has membership in groups outside of the domain).

SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers.[7][8] However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.

SID Filtering can be applied by:[9]

  • Disabling SIDHistory on forest trusts using the netdom tool (netdom trust /domain: /EnableSIDHistory:no on the domain controller)

  • Applying SID Filter Quarantining to external trusts using the netdom tool (netdom trust /domain: /quarantine:yes on the domain controller)

  • Applying SID Filtering to domain trusts within a single forest is not recommended as it is an unsupported configuration and can cause breaking changes.[9][6] If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust

Detection Strategy

IDNameAnalytic IDAnalytic Description
DET0136Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)AN0383

Detection of unauthorized modification of Active Directory SID-History attributes to escalate privileges. This chain involves: (1) privileged operations or API calls to DsAddSidHistory or related AD modification functions, (2) observed attribute changes in SID-History (Event ID 5136), (3) new logon sessions where the token includes unexpected or privileged SID-History values, and (4) follow-on resource access using elevated privileges derived from SID-History injection.

References

×
[8]ページ先頭
©2009-2026 Movatter.jp