Security Identifier (SID) History injection is a sophisticated cyberattack vector that targets Windows Active Directory environments. This attack exploits the SID History attribute, which is intended to maintain user access rights during migrations from one domain to another. By injecting malicious SID values into this attribute, an attacker can escalate privileges and gain unauthorized access to resources within the Active Directory environment.

What is SID History injection?

SID History injection involves the unauthorized modification of the SID History attribute of a compromised user account in Active Directory. This attribute typically stores previous SIDs from older domains when a user or group is migrated to a new domain. The purpose is to maintain the user’s or group’s access to resources.

Attackers exploit this feature by inserting a SID that corresponds to a high-privilege group, such as Domain Admins, into the attribute. The attacker can then use the account to escalate privileges, create back doors, or exfiltrate data.

SID History injection is considered a sophisticated attack vector because it:

Requires in-depth knowledge of Active Directory and elevated privileges

Bypasses standard security measures that look for direct changes to group membership

Leverages a deep understanding of Active Directory and Windows authentication mechanisms

How does SID History injection work?

Certain elements can make environments particularly vulnerable to SID History injection. These aspects include:

Legacy systems: Legacy systems, particularly those that have been through several domain migrations, might retain outdated security protocols and configurations that do not align with modern security best practices. These systems often have residual SID History attributes that might be overlooked during security audits.

Overlooked SIDs: During migrations, SID History attributes can accumulate. Older SIDs that are no longer relevant or have been decommissioned might not be cleared properly, leaving a back door for attackers.

Complex migrations: In complex environments where migrations involve consolidating multiple domains, the SID History can become a repository of numerous legacy SIDs, increasing the attack surface.

Misconfigured permissions: Proper configuration of permissions within Active Directory is critical. Misconfigured permissions that allow non-administrative accounts to write to SID History attributes can be catastrophic.

Overly broad access controls: Granting broad permissions can result in non-administrative users having the ability to modify sensitive attributes, either directly or through group memberships.

Delegated administration: In large organizations, delegation of administrative tasks is common. If not properly overseen, this can lead to users having more permissions than necessary, including the ability to alter SID History.

Lack of alerting systems: Many organizations do not have alerting systems configured to notify of changes to critical attributes within Active Directory.

Inadequate audit policies: Active Directory might not have default auditing settings configured to track changes to SID History attributes, especially if the organization has not identified SID History injection as a potential risk.

A SID History injection attack involves several steps that enable the attacker to increase their hold over the compromised environment.

Step 1. Initial compromise

An attacker often initiates a SID History injection attack by first gaining a foothold within the network. This breach can be achieved through various methods:

Phishing: Sending crafted emails that appear legitimate, tricking users into providing credentials

Exploiting known vulnerabilities: Targeting unpatched systems or using zero-day exploits

Social engineering: Manipulating individuals into breaking standard security protocols

In one example, attackers targeted a financial institution. The malicious actors tricked an employee into opening a document that exploited a vulnerability in the company’s document reader software. This exploit led to the execution of malicious code and the establishment of a back door.

Step 2: Enumeration of the AD environment

Once inside, the attacker enumerates the Active Directory environment. This step might involve the use of:

LDAP queries to retrieve information about user accounts and their associated permissions

PowerShell scripts to automate the collection of data regarding the Active Directory structure

Active Directory reconnaissance tools such as BloodHound, which can illustrate privilege relationships in Active Directory

This enumeration enables attackers to discover accounts with elevated (but poorly monitored) privileges.

Step 3: SID History modification

Armed with the right access, the attacker then proceeds to:

Identify a target account: This might be an account that is not heavily used or monitored, known as an orphaned account.

Modify the SID History attribute: Using a tool like Mimikatz, the attacker injects a SID into the SID History of the targeted account. This SID matches the SID of a high-privileged group, such as Domain Admins.

One notable case involved a technology company. An attacker added the SID of the Enterprise Admins group to a service account that typically did not require such high privileges.

Step 4: Privilege escalation

With the SID History attribute modified, the attacker can now:

Access resources: The target account—and thus the attacker—can now access resources that are permitted only to the matched high-privilege group.

Create back doors: The attacker can establish additional accounts or modify existing accounts to secure persistent access in the environment.

During the breach of one government entity, malicious actors used this method to escalate privileges and create backdoor accounts for persistent access. The attackers then used those accounts to exfiltrate sensitive data over an extended period.

What risks are associated with SID History injection?

The risks of SID History injection include:

Unauthorized access: Attackers gain access to sensitive areas of the network, leading to data breaches.

Privilege escalation: Attackers elevate privileges without direct modification of group memberships to avoid detection.

Persistence: Attackers can use injected SIDs to maintain access even after a password change or account disablement.

Lateral movement: SID History injection facilitates lateral movement within the network, leading to wider compromise.

Cyberattackers have used this method in multi-stage intrusions, compounding the initial breach through SID History injection and causing significant data exfiltration and system damage.

How can you detect a SID History injection attack

To detect SID History injection:

Review audit logs: Regularly review Active Directory audit logs for unexpected modifications to the SID History attribute.

Configure SIEM alerts: Configure Security Information and Event Management (SIEM) systems to alert on SID History modifications. Without adequate monitoring, changes to SID History attributes can go unnoticed.

Regularly audit the Active Directory attack surface: Use Active Directory security tools to scan for accounts with SID History attributes that do not align with known migrations. Such tools can also detect indicators of compromise that SIEM systems might miss.

How can you mitigate a SID History injection attack?

By understanding and addressing vulnerable aspects, organizations can significantly reduce the risk of SID History injection. Mitigation strategies include the following:

Upgrade legacy systems: Upgrade or decommission legacy systems and ensure that all SID History attributes are appropriately managed and cleared during domain migrations.

Review permissions: Verify that only trusted accounts have permissions to write to the SID History attribute.

Implement least privilege: Regularly audit permissions and verify that only the necessary rights are granted to users.

Use PAM solutions: Implement Privileged Access Management (PAM) solutions to limit and control privileged access.

Enhance monitoring: Implement advanced Active Directory monitoring solutions that alert on changes to critical attributes like SID History.

Patch and update: Keep all systems patched and updated to prevent initial compromise vectors.

In addition, Active Directory admins should take the following steps:

Enable auditing: Audit Active Directory for changes to SID History. Ideally, enable automated rollback of such changes until they can be verified as legitimate.

Implement least privilege: Apply the principle of least privilege to all Active Directory accounts.

Educate staff: Train IT staff to recognize the signs of SID History injection and respond appropriately.

Conduct regular reviews: Conduct periodic access reviews for high-privilege groups.

Guard against SID History injection

SID History injection is a stealthy attack that can lead to significant security breaches. The attack’s subtlety and complexity make it particularly dangerous, as it can often remain undetected without specific controls and monitoring focused on the SID History attribute. Real-life incidents underscore the need for robust security measures and constant vigilance.

Organizations should establish robust security practices—including regular monitoring, least privilege access, and user education—to protect against such attacks.
Organizations must also remain vigilant and proactive in safeguarding their Active Directory environments to counter SID History injection and other emerging threats.

The post How to Defend Against SID History Injection appeared first on Semperis.