SID-History Injection
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet , especially users who have SID-History values from the same domain. Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. Monitor for Windows API calls to the DsAddSidHistory function.