Detection rules › By eventMicrosoft-Windows-Security-Auditing event 473811 detection rules reference this event. View event page.Sigma (3)Active Directory User Backdoors severity high T1098 Addition of SID History to Active Directory Object severity medium T1134.005 Weak Encryption Enabled and Kerberoast severity high T1562.001 Elastic (3)Account Configured with Never-Expiring Password T1098 Kerberos Pre-authentication Disabled for User T1078, T1078.002, T1098, T1558, T1558.004, T1562 KRBTGT Delegation Backdoor T1098, T1558 Splunk (5)Kerberos Pre-Authentication Flag Disabled in UserAccountControl T1558.004 Windows AD Cross Domain SID History Addition T1134.005 Windows AD Privileged Account SID History Addition T1134.005 Windows AD Same Domain SID History Addition T1134.005 Windows Increase in User Modification Activity T1098, T1562