Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumstable

Addition of SID History to Active Directory Object

An attacker can use the SID history attribute to gain additional privileges.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Thomas PatzkeCreated Sun Feb 192632954e-db1c-49cb-9936-67d1ef1d17d2windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic4 selectors
detection:
    selection1:
        EventID:
            - 4765
            - 4766
    selection2:
        EventID: 4738
    selection3:
        SidHistory:
            - '-'
            - '%%1793'
    filter_null:
        SidHistory:
    condition: selection1 or (selection2 and not selection3 and not filter_null)
False Positives

Migration of an account into a new domain

References
1
Resolving title…
adsecurity.org
MITRE ATT&CK
Rule Metadata
Rule ID
2632954e-db1c-49cb-9936-67d1ef1d17d2
Status
stable
Level
medium
Type
Detection
Created
Sun Feb 19
Author
Thomas Patzke
Path
rules/windows/builtin/security/win_security_susp_add_sid_history.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1134.005
View on GitHub