- Home
- Techniques
- Enterprise
- Access Token Manipulation
- SID-History Injection
Access Token Manipulation: SID-History Injection
Other sub-techniques of Access Token Manipulation (5)
ID | Name |
---|---|
T1134.001 | Token Impersonation/Theft |
T1134.002 | Create Process with Token |
T1134.003 | Make and Impersonate Token |
T1134.004 | Parent PID Spoofing |
T1134.005 | SID-History Injection |
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. [1] An account can hold additional SIDs in the SID-History Active Directory attribute [2], allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values [3] may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.
Procedure Examples
Name | Description |
---|---|
Empire |
Empire can add a SID-History to a user if on a domain controller.[4] |
Mimikatz |
Mimikatz's |
Mitigations
Mitigation | Description |
---|---|
Active Directory Configuration |
Clean up SID-History attributes after legitimate account migration is complete. Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e preventing the trusted domain from claiming a user has membership in groups outside of the domain). SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. [7] [8] However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources. SID Filtering can be applied by: [9]
|
Detection
Examine data in user’s SID-History attributes using the PowerShell Get-ADUser
cmdlet [10], especially users who have SID-History values from the same domain. [11] Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. [11] [12]
Monitor for Windows API calls to the DsAddSidHistory
function. [12]
References
- Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.
- Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.
- Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.
- Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.
- Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.
- Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.
- Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.
- Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.
- Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.