Access Token Manipulation: SID-History Injection (T1134.005)
Tactics: Stealth, Privilege Escalation · Platforms: Windows
The interactive view maps 1 detection strategy, 1 mitigation, 2 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Access Token Manipulation (T1134).
Overview
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.