How to protect your SIDs | Gossamer Web Design

Common SID-Related Security Vulnerabilities

In Windows environments, Security Identifiers (SIDs) are the true “keys to the kingdom.” While usernames are for people, SIDs are what the operating system uses to grant access. Here are the primary ways they are exploited:

1. SID History InjectionThis is a favorite technique for persistent attackers. When migrating users between domains, the sIDHistory attribute allows a user to keep their old SIDs. Attackers use tools like Mimikatz to inject the SID of a high-privilege group (like Domain Admins) into a regular user’s history.

Prevention: Regularly audit the sIDHistory attribute and clear it once migrations are complete.

2. Exploiting “Well-Known” SIDsSome SIDs are identical on every Windows machine, such as S-1-1-0 (Everyone). Attackers look for sensitive folders or registry keys where these universal SIDs have been accidentally granted “Full Control.”

Prevention: Follow the Principle of Least Privilege. Never use the “Everyone” group for sensitive data.

3. SID Limit / Token BloatWindows has a limit on how many SIDs can fit into a user’s access token (roughly 1,024). Attackers can script the addition of a victim to thousands of groups, causing their login to fail with a “Status Too Many Context IDs” error—effectively a Denial of Service (DoS) for that user.

Prevention: Monitor for rapid, automated changes to group memberships.

4. SID Filtering FailuresIn a “Forest Trust,” one domain trusts another. If SID Filtering is disabled, an attacker in a compromised child domain can “spoof” a SID from the parent domain to gain unauthorized access across the trust boundary.

Prevention: Ensure SID Filtering (Quarantining) is enabled on all external and forest trusts.

Summary for Admins

SIDs are immutable; once they are assigned, they don’t change. This makes them a primary target for lateral movement and persistence. Clean Active Directory hygiene is the only way to ensure your SIDs aren’t being used against you.

The PowerShell Script

Run this on your Domain Controller or a machine with RSAT (Active Directory) tools installed.

# Define the path for the report
$reportPath = “$env:USERPROFILE\Desktop\SIDHistory_Report.html”

# Get users with SID History
$usersWithSidHistory = Get-ADUser -Filter ‘sidHistory -like “*”‘ -Properties sidHistory, DisplayName, Enabled

# Create HTML table rows
$rows = foreach ($user in $usersWithSidHistory) {
“<tr>
<td>$($user.DisplayName)</td>
<td>$($user.SamAccountName)</td>
<td>$($user.sidHistory)</td>
<td>$($user.Enabled)</td>
</tr>”
}

# Build the final HTML document
$htmlContent = @”
<div class=”sid-history-report”>
<h3>Active Directory SID History Audit</h3>
<p>The following accounts have a populated SID History. Ensure these are legitimate remnants of a migration and not unauthorized persistence.</p>
<table style=”width:100%; border-collapse: collapse; margin: 20px 0; font-family: sans-serif;”>
<thead>
<tr style=”background-color: #f2f2f2; text-align: left;”>
<th style=”padding: 12px; border: 1px solid #ddd;”>Name</th>
<th style=”padding: 12px; border: 1px solid #ddd;”>Username</th>
<th style=”padding: 12px; border: 1px solid #ddd;”>SID History Value</th>
<th style=”padding: 12px; border: 1px solid #ddd;”>Enabled</th>
</tr>
</thead>
<tbody>
$($rows -join “`n”)
</tbody>
</table>
</div>
“@

$htmlContent | Out-File $reportPath
Write-Host “Report generated at $reportPath” -ForegroundColor Green