SID-History Injection

Information

• Name: SID-History Injection

• ID: T1134.005

• Tactics: TA0005, TA0004

• Technique: T1134

Introduction

SID-History Injection (T1134.005) is a sub-technique within the MITRE ATT&CK framework categorized under Access Token Manipulation. Attackers leverage SID-History Injection to escalate privileges and maintain persistence within Active Directory environments by injecting forged or unauthorized Security Identifier (SID) entries into user accounts. This manipulation allows adversaries to impersonate privileged accounts, bypass access controls, and evade detection by appearing legitimate within the domain.

Deep Dive Into Technique

SID-History Injection involves manipulating the SID-History attribute, a special Active Directory attribute used primarily during domain migrations. This attribute allows user accounts from a migrated domain to retain access to resources in the original domain. Attackers exploit this feature to inject illegitimate SID entries, thus granting unauthorized privileges.

Technical execution typically involves:

• Gaining sufficient privileges (usually Domain Administrator or equivalent) to modify Active Directory attributes.

• Utilizing specialized tools or scripts, such as Mimikatz, PowerSploit, or custom PowerShell scripts, to inject forged SIDs into the SID-History attribute.

• Exploiting domain trusts or migrations to blend malicious SID additions with legitimate domain migration activities, making detection challenging.

Real-world procedures include:

• Enumerating AD domains and identifying privileged accounts or groups to target.

• Extracting privileged SIDs from trusted domains or accounts.

• Injecting these SIDs into compromised or attacker-controlled accounts, effectively granting elevated privileges without directly modifying group memberships.

• Leveraging injected SID-History entries to access sensitive systems and resources, bypassing standard permission checks.

When this Technique is Usually Used

Attackers typically utilize SID-History Injection during the following scenarios and stages:

• Privilege Escalation:

  • To escalate privileges from standard or compromised accounts to domain administrator or other privileged roles without directly altering group memberships.

• Persistence:

  • To maintain persistent access by embedding hidden privileges within seemingly legitimate user accounts.

• Lateral Movement:

  • To move laterally across trusted domains or forests by impersonating privileged accounts from external or trusted domains.

• Post-Exploitation:

  • After initial compromise and gaining domain-level administrative access, attackers inject SID-History attributes to maintain stealthy, long-term access.

• Domain Migration Exploitation:

  • During legitimate domain migrations, attackers may leverage the migration process to blend malicious SID injections, making detection more difficult.

How this Technique is Usually Detected

Detection of SID-History Injection involves multiple approaches and indicators, including:

• Monitoring and auditing Active Directory changes:

  • Regularly audit modifications to the SID-History attribute using event logs (Event ID 4738 for user account modifications) and specialized AD monitoring tools such as Microsoft Defender for Identity, Splunk, or Elastic Security.

• Implementing anomaly detection:

  • Detect unusual SID-History attribute additions, especially those occurring outside known migration events or involving privileged SIDs.

• Using dedicated security tools:

  • Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) can detect and alert on suspicious SID-History injections.

  • BloodHound can help visualize and detect anomalous privilege paths and SID-History anomalies.

• Indicators of Compromise (IoCs):

  • Unexpected SID-History attribute entries appearing in accounts.

  • Privileged account impersonation without corresponding group membership changes.

  • Unauthorized or unexplained domain trust activities or cross-domain access anomalies.

• Regularly reviewing and validating SID-History attributes:

  • Periodic manual or automated reviews of SID-History attributes across user accounts to identify unauthorized injections.

Why it is Important to Detect This Technique

Early detection of SID-History Injection is critical due to several significant impacts:

• Privilege Escalation:

  • Attackers can rapidly escalate privileges, gaining unauthorized access to sensitive data, systems, and administrative functions.

• Persistence and Stealth:

  • Malicious SID injections provide attackers with persistent, hidden access, making it difficult for defenders to detect long-term intrusions.

• Lateral Movement Across Domains:

  • Attackers leverage injected SIDs to traverse domain trusts, expanding their access and control across multiple domains and forests.

• Evasion of Traditional Security Controls:

  • Attackers effectively bypass traditional access control mechanisms, as injected SIDs grant privileges without explicitly modifying group memberships or permissions.

• Compliance and Regulatory Risks:

  • Failure to detect and remediate SID-History Injection can result in severe compliance violations, regulatory penalties, and reputational damage.

• Operational and Financial Impact:

  • Undetected SID-History Injection can lead to prolonged compromise, data breaches, intellectual property theft, and significant financial losses due to remediation costs and business disruption.

Examples

Real-world examples and attack scenarios involving SID-History Injection include:

• APT29 (Cozy Bear) Attacks:

  • Leveraged SID-History Injection during advanced persistent threat campaigns targeting government and enterprise networks.

  • Utilized tools such as Mimikatz to inject privileged SIDs into compromised accounts, enabling stealthy lateral movement and persistent access.

• Mimikatz Tool Usage:

  • Commonly used by threat actors to inject forged SIDs into SID-History attributes.

  • Attackers execute commands such as lsadump::sid and sid::patch to manipulate SID-History attributes and escalate privileges.

• Red Team and Penetration Testing Scenarios:

  • Security professionals frequently demonstrate SID-History Injection techniques in controlled assessments to highlight vulnerabilities and illustrate the importance of robust Active Directory monitoring and defense.

• Domain Migration Exploitation:

  • Attackers exploit legitimate domain migration scenarios to blend malicious SID-History injections, making detection challenging.

  • Real-world incidents demonstrate that attackers may wait for legitimate migration events to inject unauthorized SIDs, leveraging the confusion and complexity of migration processes to evade detection.

• Operation Cloud Hopper:

  • In some cases, threat actors associated with Operation Cloud Hopper utilized SID-History Injection to maintain persistent, hidden access to cloud service providers and their customers, resulting in significant breaches and data exfiltration.

Understanding these examples highlights the critical importance of robust detection mechanisms and continuous monitoring to identify and mitigate SID-History Injection threats effectively.