migration of privileged accounts.

t1134
t1134.005
endpoint
splunk

Techniques

T1134
T1134.005

Sample rules

Windows AD Privileged Account SID History Addition

source: splunk
technicques:
- T1134.005
- T1134

Description

This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration.

Detection logic

`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) 
| rex field=SidHistory "(^%{
|^)(?P<SidHistory>.*?)(}$
|$)" 
| eval category="privileged" 
| lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match 
| where isnotnull(match) 
| rename TargetSid as userSid 
| table _time action status host user userSid SidHistory Logon_ID src_user 
| `windows_ad_privileged_account_sid_history_addition_filter`