Horizon Secured
@horizon-secured.com
Master Windows & Active Directory Security—From Defense to Attacks.
Windows Server 2016 - admin.cloud.microsoft/Adminportal/... Server 2019 - admin.cloud.microsoft/Adminportal/... Server 2022 - admin.cloud.microsoft/Adminportal/... Server 2025 - admin.cloud.microsoft/Adminportal/...
https://admin.cloud.microsoft/Adminportal/Home?source=applauncher#/windowsreleasehealth/:/issue/WI1094110�Windows
June 14, 2025 at 7:19 AM
Windows Server 2016 - admin.cloud.microsoft/Adminportal/... Server 2019 - admin.cloud.microsoft/Adminportal/... Server 2022 - admin.cloud.microsoft/Adminportal/... Server 2025 - admin.cloud.microsoft/Adminportal/...
It looks like the issue was acknowledged just for Windows 10 22H2 and Windows 10 Enterprise LTSC 2021. I have definitely seen similar problem also on Windows 11, can somebody confirm or deny this ?
May 20, 2025 at 6:00 AM
It looks like the issue was acknowledged just for Windows 10 22H2 and Windows 10 Enterprise LTSC 2021. I have definitely seen similar problem also on Windows 11, can somebody confirm or deny this ?
4/4 If you discover SIDHistory in your environment, it may be old migration residue or a sign of compromise.
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
May 13, 2025 at 11:02 AM
4/4 If you discover SIDHistory in your environment, it may be old migration residue or a sign of compromise.
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
3/4 It’s also been abused in multi-domain environments to escalate from a child domain to the parent (𝘀𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴 𝘆𝗼𝘂 𝘀𝗵𝗼𝘂𝗹𝗱 𝗻𝗲𝘃𝗲𝗿 𝗿𝗲𝗹𝘆 𝗼𝗻).
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
May 13, 2025 at 11:02 AM
3/4 It’s also been abused in multi-domain environments to escalate from a child domain to the parent (𝘀𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴 𝘆𝗼𝘂 𝘀𝗵𝗼𝘂𝗹𝗱 𝗻𝗲𝘃𝗲𝗿 𝗿𝗲𝗹𝘆 𝗼𝗻).
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
2/4 But here’s the risk 👉 𝘄𝗵𝗮𝘁𝗲𝘃𝗲𝗿 𝗦𝗜𝗗 𝘆𝗼𝘂 𝗶𝗻𝗷𝗲𝗰𝘁 𝗯𝗲𝗵𝗮𝘃𝗲𝘀 𝗹𝗶𝗸𝗲 𝗮 𝗿𝗲𝗮𝗹 𝗺𝗲𝗺𝗯𝗲𝗿𝘀𝗵𝗶𝗽.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.
May 13, 2025 at 11:02 AM
2/4 But here’s the risk 👉 𝘄𝗵𝗮𝘁𝗲𝘃𝗲𝗿 𝗦𝗜𝗗 𝘆𝗼𝘂 𝗶𝗻𝗷𝗲𝗰𝘁 𝗯𝗲𝗵𝗮𝘃𝗲𝘀 𝗹𝗶𝗸𝗲 𝗮 𝗿𝗲𝗮𝗹 𝗺𝗲𝗺𝗯𝗲𝗿𝘀𝗵𝗶𝗽.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.
If you discover SIDHistory in your environment, it may be old migration residue or a sign of compromise.
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
Active Directory Vulnerability Script
academy.horizon-secured.com
May 13, 2025 at 9:07 AM
If you discover SIDHistory in your environment, it may be old migration residue or a sign of compromise.
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
Either way → 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗹𝗲𝗮𝗻 𝗶𝘁 𝘂𝗽.
👉 Have you checked your SIDHistory lately?
academy.horizon-secured.com/p/adprobe
#SIDHistory #CyberSecurity #ActiveDirectory #SecureBits
It’s also been abused in multi-domain environments to escalate from a child domain to the parent (𝘀𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴 𝘆𝗼𝘂 𝘀𝗵𝗼𝘂𝗹𝗱 𝗻𝗲𝘃𝗲𝗿 𝗿𝗲𝗹𝘆 𝗼𝗻).
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
May 13, 2025 at 9:07 AM
It’s also been abused in multi-domain environments to escalate from a child domain to the parent (𝘀𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴 𝘆𝗼𝘂 𝘀𝗵𝗼𝘂𝗹𝗱 𝗻𝗲𝘃𝗲𝗿 𝗿𝗲𝗹𝘆 𝗼𝗻).
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
⚠ Even if you think you don’t use SIDHistory, regularly scan your environment for misconfigurations like this. (✅ You can use my tool ADProbe)
But here’s the risk 👉 𝘄𝗵𝗮𝘁𝗲𝘃𝗲𝗿 𝗦𝗜𝗗 𝘆𝗼𝘂 𝗶𝗻𝗷𝗲𝗰𝘁 𝗯𝗲𝗵𝗮𝘃𝗲𝘀 𝗹𝗶𝗸𝗲 𝗮 𝗿𝗲𝗮𝗹 𝗺𝗲𝗺𝗯𝗲𝗿𝘀𝗵𝗶𝗽.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.
May 13, 2025 at 9:07 AM
But here’s the risk 👉 𝘄𝗵𝗮𝘁𝗲𝘃𝗲𝗿 𝗦𝗜𝗗 𝘆𝗼𝘂 𝗶𝗻𝗷𝗲𝗰𝘁 𝗯𝗲𝗵𝗮𝘃𝗲𝘀 𝗹𝗶𝗸𝗲 𝗮 𝗿𝗲𝗮𝗹 𝗺𝗲𝗺𝗯𝗲𝗿𝘀𝗵𝗶𝗽.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.
For example:
If you inject the Enterprise Admins group SID (S-1-5-21-*-519) into a user’s SIDHistory, that user gets Enterprise Admin privileges without actually being in the group.
—𝗶𝘁’𝘀 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗮𝗻𝗱 𝗽𝗼𝘄𝗲𝗿𝗳𝘂𝗹.