Access Token Manipulation: SID-History Injection (T1134.005)

Tactics: Stealth, Privilege Escalation · Platforms: Windows

The interactive view maps 1 detection strategy, 1 mitigation, 2 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Access Token Manipulation (T1134).

Overview

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

Explore