Techniques
Sample rules
Windows AD SID History Attribute Modified
- source: splunk
- technicques:
- T1134
- T1134.005
Description
The following analytic leverages event code 5136 to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain.
Detection logic
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType="%%14674"
| stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue
| rename Computer as dest
| `windows_ad_sid_history_attribute_modified_filter`
Windows AD Cross Domain SID History Addition
- source: splunk
- technicques:
- T1134.005
- T1134
Description
The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence.
Detection logic
`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -)
| rex field=SidHistory "(^%{
|^)(?P<SidHistoryMatch>.*)(\-
|\\\)"
| rex field=TargetSid "^(?P<TargetSidmatch>.*)(\-
|\\\)"
| where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName
| rename TargetSid as userSid
| table _time action status host user userSid SidHistory Logon_ID src_user
| `windows_ad_cross_domain_sid_history_addition_filter`