๐ Secure Bits ๐ก
๐ฆ๐๐ ๐๐ถ๐๐๐ผ๐ฟ๐ ๐ฐ๐ฎ๐ป ๐ฏ๐ฒ ๐ฎ ๐ฑ๐ฎ๐ป๐ด๐ฒ๐ฟ๐ผ๐๐ ๐ฎ๐๐๐ฟ๐ถ๐ฏ๐๐๐ฒ.
Do you use it in your environment?
Originally, SID History was used during Active Directory migrationsโto let migrated users access old resources by injecting old SIDs into the SIDHistory attribute.
But hereโs the risk ๐ ๐๐ต๐ฎ๐๐ฒ๐๐ฒ๐ฟ ๐ฆ๐๐ ๐๐ผ๐ ๐ถ๐ป๐ท๐ฒ๐ฐ๐ ๐ฏ๐ฒ๐ต๐ฎ๐๐ฒ๐ ๐น๐ถ๐ธ๐ฒ ๐ฎ ๐ฟ๐ฒ๐ฎ๐น ๐บ๐ฒ๐บ๐ฏ๐ฒ๐ฟ๐๐ต๐ถ๐ฝ.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a userโs SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
Attackers love this trickโ๐ถ๐โ๐ ๐๐๐ฒ๐ฎ๐น๐๐ต๐ ๐ฎ๐ป๐ฑ ๐ฝ๐ผ๐๐ฒ๐ฟ๐ณ๐๐น.
Itโs also been abused in multi-domain environments to escalate from a child domain to the parent (๐๐ผ๐บ๐ฒ๐๐ต๐ถ๐ป๐ด ๐๐ผ๐ ๐๐ต๐ผ๐๐น๐ฑ ๐ป๐ฒ๐๐ฒ๐ฟ ๐ฟ๐ฒ๐น๐ ๐ผ๐ป).
โ Even if you think you donโt use SIDHistory, regularly scan your environment for misconfigurations like this. (โ You can use my tool, ADProbe, to help ๐ https://academy.horizon-secured.com/p/adprobe
If you discover SIDHistory in your environment, it may be old migration residue or a sign of compromise.
Either way โ ๐ถ๐ป๐๐ฒ๐๐๐ถ๐ด๐ฎ๐๐ฒ ๐ฎ๐ป๐ฑ ๐ฐ๐น๐ฒ๐ฎ๐ป ๐ถ๐ ๐๐ฝ.
๐ Have you checked your SIDHistory lately?
