detection.wiki

Detection rules › Splunk

Windows AD SID History Attribute Modified

Author
Mauricio Velazco, Splunk
Source
upstream

The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the wineventlog_security data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1134.005 Access Token Manipulation: SID-History Injection
Defense EvasionT1134.005 Access Token Manipulation: SID-History Injection

Event coverage

ProviderEvent IDTitle
Security-Auditing5136A directory service object was modified.

Stages and Predicates

Stage 1: search

search AttributeLDAPDisplayName="sIDHistory" EventCode=5136 OperationType="%%14674"

Stage 2: stats

stats BY _time, Computer, SubjectUserName, AttributeValue

Stage 3: rename

rename

Stage 4: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AttributeLDAPDisplayNameeq
  • sIDHistory
EventCodeeq
  • 5136 corpus 22 (splunk 22)
OperationTypeeq
  • "%%14674" corpus 3 (splunk 3)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.