title: SID-History Injection (T1134.005)
id: df00tech-t1134-005
status: experimental
description: "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management."
references:
  - https://attack.mitre.org/techniques/T1134/005/
  - https://df00tech.com/detections/T1134.005
author: df00tech
date: 2026/04/20
tags:
  - attack.t1134.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate Active Directory domain consolidations or migrations using Microsoft ADMT (Active Directory Migration Tool), which intentionally populates sIDHistory to preserve resource access for migrated accounts"
  - "Third-party AD migration tools (Quest Migration Manager, Binary Tree CMN, Dell Migration Manager) that use SID-History as part of their standard inter-domain migration workflow"
  - "Event 4766 (failed SID add) may appear when domain or forest functional level requirements for SID History are not met, such as when SID filtering is enforced on the domain trust"
  - Authorized red team or penetration testing engagements with explicit Domain Admin access — coordinate with your security team to suppress during approved test windows
level: critical