Detection rules › Sigma
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1134.005 Access Token Manipulation: SID-History Injection |
| Defense Evasion | T1134.005 Access Token Manipulation: SID-History Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4738 | A user account was changed. |
| Security-Auditing | 4765 | SID History was added to an account. |
| Security-Auditing | 4766 | An attempt to add SID History to an account failed. |
Stages and Predicates
Stage 1: selection1
Stage 2: selection2
Stage 3: not selection3
SidHistory: ['%%1793', -]
Stage 4: not filter_null
SidHistory: null
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
SidHistory | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- User Added to Privileged Group in Active Directory
- A Member Was Added to a Security-Enabled Global Group
- Add or Remove Computer from DC
- Detect New Local Admin account
- Windows AD Cross Domain SID History Addition
- Windows AD Privileged Account SID History Addition
- Windows AD Same Domain SID History Addition
- Windows Increase in User Modification Activity