Techniques
Sample rules
Addition of SID History to Active Directory Object
- source: sigma
- technicques:
- t1134
- t1134.005
Description
An attacker can use the SID history attribute to gain additional privileges.
Detection logic
condition: selection1 or (selection2 and not selection3 and not filter_null)
filter_null:
SidHistory: null
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- '-'
- '%%1793'