← Back to Explore
sigmamediumTTP
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
Detection Query
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- "-"
- "%%1793"
filter_null:
SidHistory: null
condition: selection1 or (selection2 and not selection3 and not filter_null)
Author
Thomas Patzke, @atc_project (improvements)
Created
2017-02-19
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1134.005
Raw Content
title: Addition of SID History to Active Directory Object
id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
references:
- https://adsecurity.org/?p=1772
author: Thomas Patzke, @atc_project (improvements)
date: 2017-02-19
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1134.005
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- '-'
- '%%1793'
filter_null:
SidHistory:
condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
- Migration of an account into a new domain
level: medium