Detection rules › Splunk
Windows AD Privileged Account SID History Addition
The following analytic identifies when the SID of a privileged user is added to the SID History attribute of another user. It leverages Windows Security Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. This behavior is significant as it may indicate an attempt to abuse SID history for unauthorized access across multiple domains. If confirmed malicious, this activity could allow an attacker to escalate privileges or maintain persistent access within the environment, posing a significant security risk.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1134.005 Access Token Manipulation: SID-History Injection |
| Defense Evasion | T1134.005 Access Token Manipulation: SID-History Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4738 | A user account was changed. |
| Security-Auditing | 4742 | A computer account was changed. |
Stages and Predicates
Stage 1: search
search NOT SidHistory IN ("%%1793", "-") EventCode IN (4738, 4742)
Stage 2: rex
rex field=SidHistory ...
Stage 3: eval
eval ...
Stage 4: lookup
lookup <lookup> SidHistory, category, identity, identity_tag, match
Stage 5: where
where isnotnull(match)
Stage 6: rename
rename
Stage 7: table
table Logon_ID, SidHistory, _time, action, dest, host, src_user, status, user, userSid
Stage 8: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | SidHistory | in | "%%1793", - |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- User Added to Privileged Group in Active Directory
- A Member Was Added to a Security-Enabled Global Group
- Add or Remove Computer from DC
- Addition of SID History to Active Directory Object
- Detect New Local Admin account
- Windows AD Cross Domain SID History Addition
- Windows AD Same Domain SID History Addition
- Windows Increase in User Modification Activity
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.