Why this module exists. Forest trusts were Microsoft’s promise that the forest boundary was a hard security boundary. SID Filtering — enabled by default on external trusts since Windows Server 2003 — was the control that made the promise real. But every year, a new variation on SID-History abuse shows it is not as hard a boundary as the marketing says. This module walks the canonical attack, the modern variations, and where the boundary actually lives.
What SID History actually is
SID History is the sIDHistory attribute on a user, group, or computer object. It is a multi-valued attribute holding old SIDs the principal used to have. When AD builds a Kerberos ticket for the principal, the contents of sIDHistory are added to the PAC (Privilege Attribute Certificate) alongside the principal’s current SID and group SIDs. Every Windows machine the principal authenticates to evaluates access against the union of all those SIDs.
The legitimate use: a company merger. Alice was contoso\alice with SID S-1-5-21-AAAA. After migration she becomes fabrikam\alice with SID S-1-5-21-BBBB. Resources in contoso still ACL Alice’s old SID. Putting S-1-5-21-AAAA in her sIDHistory keeps that ACL access working while she lives in fabrikam.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.