MITRE ATT&CK Technique
Description
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-18T18:34:49.414Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use SID-History Injection to escalate '
'privileges and bypass access controls. The Windows security '
'identifier (SID) is a unique value that identifies a user or '
'group account. SIDs are used by Windows security in both '
'security descriptors and access tokens. (Citation: Microsoft '
'SID) An account can hold additional SIDs in the SID-History '
'Active Directory attribute (Citation: Microsoft SID-History '
'Attribute), allowing inter-operable account migration between '
'domains (e.g., all values in SID-History are included in '
'access tokens).\n'
'\n'
'With Domain Administrator (or equivalent) rights, harvested '
'or well-known SID values (Citation: Microsoft Well Known SIDs '
'Jun 2017) may be inserted into SID-History to enable '
'impersonation of arbitrary users/groups such as Enterprise '
'Administrators. This manipulation may result in elevated '
'access to local resources and/or access to otherwise '
'inaccessible domains via lateral movement techniques such as '
'[Remote Services](https://attack.mitre.org/techniques/T1021), '
'[SMB/Windows Admin '
'Shares](https://attack.mitre.org/techniques/T1021/002), or '
'[Windows Remote '
'Management](https://attack.mitre.org/techniques/T1021/006).',
'external_references': [{'external_id': 'T1134.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1134/005'},
{'description': 'Microsoft. (n.d.). Security '
'Identifiers. Retrieved November 30, '
'2017.',
'source_name': 'Microsoft SID',
'url': 'https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx'},
{'description': 'Microsoft. (n.d.). Active Directory '
'Schema - SID-History attribute. '
'Retrieved November 30, 2017.',
'source_name': 'Microsoft SID-History Attribute',
'url': 'https://msdn.microsoft.com/library/ms679833.aspx'},
{'description': 'Microsoft. (2017, June 23). '
'Well-known security identifiers in '
'Windows operating systems. Retrieved '
'November 30, 2017.',
'source_name': 'Microsoft Well Known SIDs Jun 2017',
'url': 'https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems'},
{'description': 'Microsoft. (n.d.). Active Directory '
'Cmdlets - Get-ADUser. Retrieved '
'November 30, 2017.',
'source_name': 'Microsoft Get-ADUser',
'url': 'https://technet.microsoft.com/library/ee617241.aspx'},
{'description': 'Metcalf, S. (2015, September 19). '
'Sneaky Active Directory Persistence '
'#14: SID History. Retrieved November '
'30, 2017.',
'source_name': 'AdSecurity SID History Sept 2015',
'url': 'https://adsecurity.org/?p=1772'},
{'description': 'Microsoft. (n.d.). Using '
'DsAddSidHistory. Retrieved November '
'30, 2017.',
'source_name': 'Microsoft DsAddSidHistory',
'url': 'https://msdn.microsoft.com/library/ms677982.aspx'}],
'id': 'attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:16.316Z',
'name': 'SID-History Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Alain Homewood, Insomnia Security',
'Vincent Le Toux'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}