SID-History Injection (T1178)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • SID-History Injection

Associated Tactics

  • Privilege Escalation

Privilege Escalation (TA0004)

The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: * SYSTEM/root level * local administrator * user account with admin-like access * user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017. Microsoft SID
Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017. Microsoft SID-History Attribute
Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017. Microsoft Well Known SIDs Jun 2017
Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017. Microsoft Get-ADUser
Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017. AdSecurity SID History Sept 2015
Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017. Microsoft DsAddSidHistory