MITRE ATT&CK Technique
Description
The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). Adversaries may use this mechanism for privilege escalation. With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [Windows Admin Shares](https://attack.mitre.org/techniques/T1077), or [Windows Remote Management](https://attack.mitre.org/techniques/T1028).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'The Windows security identifier (SID) is a unique value that '
'identifies a user or group account. SIDs are used by Windows '
'security in both security descriptors and access tokens. '
'(Citation: Microsoft SID) An account can hold additional SIDs '
'in the SID-History Active Directory attribute (Citation: '
'Microsoft SID-History Attribute), allowing inter-operable '
'account migration between domains (e.g., all values in '
'SID-History are included in access tokens).\n'
'\n'
'Adversaries may use this mechanism for privilege escalation. '
'With Domain Administrator (or equivalent) rights, harvested '
'or well-known SID values (Citation: Microsoft Well Known SIDs '
'Jun 2017) may be inserted into SID-History to enable '
'impersonation of arbitrary users/groups such as Enterprise '
'Administrators. This manipulation may result in elevated '
'access to local resources and/or access to otherwise '
'inaccessible domains via lateral movement techniques such as '
'[Remote Services](https://attack.mitre.org/techniques/T1021), '
'[Windows Admin '
'Shares](https://attack.mitre.org/techniques/T1077), or '
'[Windows Remote '
'Management](https://attack.mitre.org/techniques/T1028).',
'external_references': [{'external_id': 'T1178',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1178'},
{'description': 'Microsoft. (n.d.). Security '
'Identifiers. Retrieved November 30, '
'2017.',
'source_name': 'Microsoft SID',
'url': 'https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx'},
{'description': 'Microsoft. (n.d.). Active Directory '
'Schema - SID-History attribute. '
'Retrieved November 30, 2017.',
'source_name': 'Microsoft SID-History Attribute',
'url': 'https://msdn.microsoft.com/library/ms679833.aspx'},
{'description': 'Microsoft. (2017, June 23). '
'Well-known security identifiers in '
'Windows operating systems. Retrieved '
'November 30, 2017.',
'source_name': 'Microsoft Well Known SIDs Jun 2017',
'url': 'https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems'},
{'description': 'Microsoft. (n.d.). Active Directory '
'Cmdlets - Get-ADUser. Retrieved '
'November 30, 2017.',
'source_name': 'Microsoft Get-ADUser',
'url': 'https://technet.microsoft.com/library/ee617241.aspx'},
{'description': 'Metcalf, S. (2015, September 19). '
'Sneaky Active Directory Persistence '
'#14: SID History. Retrieved November '
'30, 2017.',
'source_name': 'AdSecurity SID History Sept 2015',
'url': 'https://adsecurity.org/?p=1772'},
{'description': 'Microsoft. (n.d.). Using '
'DsAddSidHistory. Retrieved November '
'30, 2017.',
'source_name': 'Microsoft DsAddSidHistory',
'url': 'https://msdn.microsoft.com/library/ms677982.aspx'}],
'id': 'attack-pattern--1df0326d-2fbc-4d08-a16b-48365f1e742d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:29.579Z',
'name': 'SID-History Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Vincent Le Toux',
'Alain Homewood, Insomnia Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}