Detection rules › Splunk
Windows AD Cross Domain SID History Addition
The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1134.005 Access Token Manipulation: SID-History Injection |
| Defense Evasion | T1134.005 Access Token Manipulation: SID-History Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4738 | A user account was changed. |
| Security-Auditing | 4742 | A computer account was changed. |
Stages and Predicates
Stage 1: search
search (EventCode=4738 OR EventCode=4742) NOT SidHistory IN ("%%1793", "-")
Stage 2: rex
rex field=SidHistory ...
Stage 3: rex
rex field=TargetSid ...
Stage 4: where
where SidHistoryMatch!=
Stage 5: rename
rename
Stage 6: table
table Logon_ID, SidHistory, _time, action, dest, host, src_user, status, user, userSid
Stage 7: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | SidHistory | in | "%%1793", - |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- User Added to Privileged Group in Active Directory
- A Member Was Added to a Security-Enabled Global Group
- Add or Remove Computer from DC
- Addition of SID History to Active Directory Object
- Detect New Local Admin account
- Windows AD Privileged Account SID History Addition
- Windows AD Same Domain SID History Addition
- Windows Increase in User Modification Activity
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.