Detections
Analytics
Access Token Manipulation: SID-History Injection
Description
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute [2], allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Active Directory | Authenticated AD User | LDAP | List of Domain Users with SID-History | Plugin ID: 17-C-ACCOUNTS-DANG-SID-HISTORY:R-ACCOUNTS-DANG-SID-HISTORY-OF-PRIV-USER, 17-C-ACCOUNTS-DANG-SID-HISTORY:R-ACCOUNTS-DANG-SID-HISTORY-OF-USER-ON-SAME-DOMAIN |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Defense Evasion, Privilege Escalation
Technique: Access Token Manipulation
Sub-Technique: SID-History Injection
Platform: Windows
Products Required: Tenable Identity Exposure
Tenable Release Date: 2022 Q2