T1134.005SubTechniquedefense-evasionprivilege-escalationagent-callable

T1134.005SID-History Injection

Sub-technique of T1134

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).

ATT&CK tactics· 2

Defense EvasionPrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1134/005
  2. https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
  3. https://msdn.microsoft.com/library/ms679833.aspx
  4. https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
  5. https://technet.microsoft.com/library/ee617241.aspx
  6. https://adsecurity.org/?p=1772
  7. https://msdn.microsoft.com/library/ms677982.aspx
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.