Detections
Analytics

Accounts With a Dangerous SID History Attribute

high

Language:

Description

In migration scenarios, administrators use the SID History mechanism, but attackers can exploit it to escalate their privileges.

Solution

You should remove dangerous values stored for migration purposes.

See Also

How to remove SID History with PowerShell

Security Considerations for Trusts

Indicator Details

Name: Accounts With a Dangerous SID History Attribute

Codename: C-ACCOUNTS-DANG-SID-HISTORY

Severity: High

MITRE ATT&CK Information:

Tactics: TA0008, TA0004, TA0003, TA0001

Techniques: T1550, T1134.005, T1199