EXPLORE
Sign In
← Back to Explore
T1134.005

SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values...

Windows
5
Detections
2
Sources
0
Threat Actors

BY SOURCE

4splunk_escu1sigma

PROCEDURES (2)

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

DETECTIONS (5)

Addition of SID History to Active Directory Object
sigmamedium
Windows AD Cross Domain SID History Addition
splunk_escu
Windows AD Privileged Account SID History Addition
splunk_escu
Windows AD Same Domain SID History Addition
splunk_escu
Windows AD SID History Attribute Modified
splunk_escu