| ID | Name |
|---|---|
| ATAGS-T1079.001 | Create Process with Token |
| ATAGS-T1079.002 | Make and Impersonate Token |
| ATAGS-T1079.003 | Parent PID Spoofing |
| ATAGS-T1079.004 | SID-History Injection |
| ATAGS-T1079.005 | Token Impersonation/Theft |
Threat Actors may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.