Skip to main content
Support

SID History Injection

Cross-Domain Privilege Escalation via SID Manipulation

Inject an Enterprise Admin SID into a compromised user's sidHistory attribute to gain cross-domain access without being a member of any privileged group.

Advanced~5 minT1134.005
Prerequisites:Domain Admin in child domainMimikatzNetwork access to Domain Controller
1

Get Target SID (Enterprise Admins)

SID History Injection — Step 1/3
PS C:\Tools>

Click or press Enter to skip

Step 1: Identify Target SID

Query the forest root domain for the Enterprise Admins group SID. This group has administrative control over every domain in the AD forest. Injecting this SID into sidHistory grants equivalent access.

We are looking up the unique identifier for the "Enterprise Admins" group — the most powerful group in the entire AD forest. We plan to add this identifier to a regular user account so they get Enterprise Admin access without actually being in the group.

Detection Events
4765SID History added to account
Attack Flow
Get EA SID
Attacker(Child DA)
ChildDomain DC
Forest RootDC
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org