Accounts With a Dangerous SID History Attribute

high

Language:

Description

In migration scenarios, administrators use the SID History mechanism, but attackers can exploit it to escalate their privileges.

Solution

You should remove dangerous values stored for migration purposes.

See Also

How to remove SID History with PowerShell

Security Considerations for Trusts

Indicator Details

Name: Accounts With a Dangerous SID History Attribute

Codename: C-ACCOUNTS-DANG-SID-HISTORY

Severity: High

MITRE ATT&CK Information:

Tactic: TA0001 - Initial Access
- Techniques: T1199 - Trusted Relationship
Tactic: TA0008 - Lateral Movement
- Techniques: T1550 - Use Alternate Authentication Material
Tactic: TA0003 - Persistence
Tactic: TA0004 - Privilege Escalation
- Techniques: T1134.005 - Access Token Manipulation