Find sigma rule
Attack: Access Token Manipulation: SID-History Injection
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
MITRE
Tactic
- defense-evasion
- privilege-escalation
technique
- T1134.005
Test : Injection SID-History with mimikatz
OS
- windows
Description:
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller
Executor
command_prompt
Sigma Rule
-
win_alert_mimikatz_keywords.yml (id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8)
-
proc_creation_win_hktl_mimikatz_command_line.yml (id: a642964e-bead-4bed-8910-1bb4d63e3b4d)