T1134.005

SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

Microsoft Sentinel / Defender

kusto

// Branch 1: Direct SID-History modification events on Domain Controllers
// Event 4765: SID History was added to an account (SUCCESS)
// Event 4766: An attempt to add SID History to an account failed
let SIDHistoryModEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4765, 4766)
| extend EventType = iff(EventID == 4765, "SID History Added", "SID History Add Failed")
| extend SubjectUser = extract(@"SubjectUserName">([^<]+)<", 1, EventData)
| extend SubjectDomain = extract(@"SubjectDomainName">([^<]+)<", 1, EventData)
| extend TargetUser = extract(@"TargetUserName">([^<]+)<", 1, EventData)
| extend TargetDomain = extract(@"TargetDomainName">([^<]+)<", 1, EventData)
| extend SIDAdded = extract(@"SidHistory">([^<]+)<", 1, EventData)
| extend IsPrivilegedSID = SIDAdded has_any ("-512", "-519", "-518", "-516", "-520", "S-1-5-32-544", "S-1-5-32-548")
| project TimeGenerated, Computer, EventID, EventType, SubjectUser, SubjectDomain,
          TargetUser, TargetDomain, SIDAdded, IsPrivilegedSID, EventData
| extend AlertBranch = "SID-History Modification Event", Severity = iff(IsPrivilegedSID, "Critical", "High");
// Branch 2: AD Object modification targeting sIDHistory attribute via LDAP write (Event 4662)
let ADObjectSIDHistory = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4662
| where EventData has "sIDHistory"
| extend SubjectUser = extract(@"SubjectUserName">([^<]+)<", 1, EventData)
| extend ObjectDN = extract(@"ObjectName">([^<]+)<", 1, EventData)
| project TimeGenerated, Computer, EventID, SubjectUser, ObjectDN, EventData
| extend AlertBranch = "sIDHistory Attribute Write (LDAP)", Severity = "High",
         EventType = "Directory Service Attribute Write";
// Branch 3: Known SID injection tooling — Mimikatz, Empire, and PowerShell ADSI approaches
let SIDInjectionTooling = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "MISC::AddSid", "sid::add", "sIDHistory", "sidHistory",
    "Add-SIDHistory", "DCShadow", "Invoke-DCshadow",
    "Set-ADUser.*sIDHistory"
  )
  or FileName =~ "mimikatz.exe"
| extend AlertBranch = "SID Injection Tool Execution"
| extend Severity = "Critical"
| extend EventType = "Process Creation"
| project TimeGenerated = Timestamp, Computer = DeviceName, EventID = 4688, EventType,
          SubjectUser = AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          AlertBranch, Severity;
// Union all branches
SIDHistoryModEvents
| union ADObjectSIDHistory
| union SIDInjectionTooling
| sort by TimeGenerated desc

critical severity high confidence

Data Sources

Active Directory: Active Directory Object Modification User Account: User Account Metadata Process: Process Creation Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Legitimate Active Directory domain consolidations or migrations using Microsoft ADMT (Active Directory Migration Tool), which intentionally populates sIDHistory to preserve resource access for migrated accounts
Third-party AD migration tools (Quest Migration Manager, Binary Tree CMN, Dell Migration Manager) that use SID-History as part of their standard inter-domain migration workflow
Event 4766 (failed SID add) may appear when domain or forest functional level requirements for SID History are not met, such as when SID filtering is enforced on the domain trust
Authorized red team or penetration testing engagements with explicit Domain Admin access — coordinate with your security team to suppress during approved test windows

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4765 OR EventCode=4766 OR EventCode=4662)
| eval AlertType=case(
    EventCode=4765, "SID History Added to Account",
    EventCode=4766, "Failed SID History Add Attempt",
    EventCode=4662 AND match(EventData, "sIDHistory"), "sIDHistory Attribute Write (LDAP)",
    1=1, null()
  )
| where isnotnull(AlertType)
| rex field=EventData "SubjectUserName">(?<SubjectUser>[^<]+)<"
| rex field=EventData "SubjectDomainName">(?<SubjectDomain>[^<]+)<"
| rex field=EventData "TargetUserName">(?<TargetUser>[^<]+)<"
| rex field=EventData "TargetDomainName">(?<TargetDomain>[^<]+)<"
| rex field=EventData "SidHistory">(?<SIDAdded>[^<]+)<"
| rex field=EventData "ObjectName">(?<ObjectDN>[^<]+)<"
| eval IsPrivilegedSID=if(
    match(coalesce(SIDAdded,""), "(-512|-519|-518|-516|-520|S-1-5-32-544|S-1-5-32-548)"),
    "YES", "NO"
  )
| eval Severity=case(
    EventCode=4765 AND IsPrivilegedSID="YES", "CRITICAL",
    EventCode=4765, "HIGH",
    EventCode=4766, "HIGH",
    EventCode=4662, "HIGH",
    1=1, "MEDIUM"
  )
| eval IsMigrationTool=if(
    match(coalesce(SubjectUser,""), "(?i)(admt|migration|svc_mig|quest|binarytree)"),
    "Yes", "No"
  )
| table _time, host, EventCode, AlertType, Severity, SubjectUser, SubjectDomain,
        TargetUser, TargetDomain, SIDAdded, IsPrivilegedSID, ObjectDN, IsMigrationTool
| sort - _time

critical severity high confidence

Data Sources

Active Directory: Active Directory Object Modification User Account: User Account Metadata Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

Legitimate Active Directory domain consolidations or migrations using Microsoft ADMT (Active Directory Migration Tool), which intentionally populates sIDHistory to preserve resource access for migrated accounts
Third-party AD migration tools (Quest Migration Manager, Binary Tree CMN, Dell Migration Manager) that use SID-History as part of their standard inter-domain migration workflow
Event 4766 (failed SID add) may appear when domain or forest functional level requirements for SID History are not met, such as when SID filtering is enforced on the domain trust
Authorized red team or penetration testing engagements with explicit Domain Admin access — coordinate with your security team to suppress during approved test windows

Elastic Security (EQL)

eql

any where (
  /* Branch 1: Direct SID-History modification events on Domain Controllers */
  (
    event.provider == "Microsoft-Windows-Security-Auditing"
    and event.code in ("4765", "4766")
  )
  or
  /* Branch 2: AD Object modification with sIDHistory attribute write via LDAP (Event 4662) */
  (
    event.provider == "Microsoft-Windows-Security-Auditing"
    and event.code == "4662"
    and winlog.event_data.Properties like~ "*sIDHistory*"
  )
  or
  /* Branch 3: Known SID injection tooling — Mimikatz, Empire, PowerShell ADSI */
  (
    event.category : "process"
    and event.type : "start"
    and (
      process.command_line like~ (
        "*MISC::AddSid*",
        "*sid::add*",
        "*sIDHistory*",
        "*sidHistory*",
        "*Add-SIDHistory*",
        "*DCShadow*",
        "*Invoke-DCshadow*",
        "*Set-ADUser*sIDHistory*"
      )
      or process.name like~ "mimikatz.exe"
    )
  )
)

critical severity high confidence

Data Sources

Windows Security Event Log via Elastic Agent (logs-windows.security-*) or Winlogbeat (winlogbeat-*) Endpoint process telemetry via Elastic Defend or Sysmon + Winlogbeat (logs-endpoint.events.process-*)

Required Tables

logs-windows.security-* winlogbeat-* logs-endpoint.events.process-*

False Positives

Active Directory Migration Tool (ADMT) running during authorized inter-domain or inter-forest migrations — generates Event 4765 for every account processed; correlate SubjectUserName against known migration service accounts and active change tickets
Quest Migration Manager, Binary Tree ADConnect, or similar enterprise directory consolidation tools that write sIDHistory for cross-domain resource access continuity — these generate Event 4662 with sIDHistory in Properties at scale during project windows
Authorized red team or penetration testing exercises simulating T1134.005 via Mimikatz or PowerShell ADSI — validate process.name, host.name, and timing against approved assessment scope and maintenance windows in your ITSM

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  "EventID" AS WindowsEventID,
  username AS SubjectUser,
  QIDNAME(qid) AS QRadarEventName,
  CASE
    WHEN "EventID" = '4765' THEN 'SID History Added to Account'
    WHEN "EventID" = '4766' THEN 'Failed SID History Add Attempt'
    WHEN "EventID" = '4662' THEN 'sIDHistory LDAP Attribute Write'
    ELSE 'SID Injection Tool Detected in Payload'
  END AS AlertType,
  CASE
    WHEN "EventID" = '4765'
      AND (
        payload ILIKE '%-512%'
        OR payload ILIKE '%-519%'
        OR payload ILIKE '%-518%'
        OR payload ILIKE '%-516%'
        OR payload ILIKE '%-520%'
        OR payload ILIKE '%S-1-5-32-544%'
        OR payload ILIKE '%S-1-5-32-548%'
      ) THEN 'CRITICAL'
    WHEN "EventID" IN ('4765', '4766', '4662') THEN 'HIGH'
    ELSE 'CRITICAL'
  END AS Severity,
  sourceip AS SourceIP,
  payload
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Windows Security%'
  AND (
    "EventID" IN ('4765', '4766')
    OR (
      "EventID" = '4662'
      AND payload ILIKE '%sIDHistory%'
    )
    OR (
      payload ILIKE '%MISC::AddSid%'
      OR payload ILIKE '%sid::add%'
      OR payload ILIKE '%Add-SIDHistory%'
      OR payload ILIKE '%DCShadow%'
      OR payload ILIKE '%Invoke-DCshadow%'
      OR payload ILIKE '%mimikatz%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM: Microsoft Windows Security Event Log, LOGSOURCETYPEID 12) Endpoint syslog or Universal DSM for EDR tooling payload forwarding

Required Tables

events

False Positives

ADMT-based domain migrations triggered by IT Infrastructure teams during M&A integrations — service account names like 'admt_svc' or 'mig_admin' appearing in SubjectUser with high-volume 4765 events are expected; build a suppression reference set of authorized migration accounts
Quest Migration Manager and Binary Tree ADConnect sync jobs writing sIDHistory for cross-forest access continuity — these appear as Event 4662 bursts from DC hostnames and known tool service accounts
Authorized penetration testing payloads containing 'mimikatz' or 'DCShadow' strings — validate SourceIP and username against approved assessment scope defined in your QRadar offense suppression rules or reference sets

Sumo Logic CSE

sql

_sourceCategory=*Windows*Security* (4765 OR 4766 OR 4662)
| parse regex "(?i)EventID\\s*>\\s*(?<EventCode>\\d+)" nodrop
| parse regex "(?i)SubjectUserName\\s*>\\s*(?<SubjectUser>[^<]+)<" nodrop
| parse regex "(?i)SubjectDomainName\\s*>\\s*(?<SubjectDomain>[^<]+)<" nodrop
| parse regex "(?i)TargetUserName\\s*>\\s*(?<TargetUser>[^<]+)<" nodrop
| parse regex "(?i)TargetDomainName\\s*>\\s*(?<TargetDomain>[^<]+)<" nodrop
| parse regex "(?i)SidHistory\\s*>\\s*(?<SIDAdded>[^<]+)<" nodrop
| parse regex "(?i)ObjectName\\s*>\\s*(?<ObjectDN>[^<]+)<" nodrop
| where EventCode = "4765"
  OR EventCode = "4766"
  OR (EventCode = "4662" AND matches(_raw, "(?i)sIDHistory"))
| eval AlertType = if(EventCode = "4765", "SID History Added",
                   if(EventCode = "4766", "Failed SID History Add",
                   "sIDHistory LDAP Attribute Write"))
| eval IsPrivilegedSID = if(matches(SIDAdded, ".*(-(512|519|518|516|520)|S-1-5-32-(544|548)).*"), "YES", "NO")
| eval Severity = if(IsPrivilegedSID = "YES", "CRITICAL",
                  if(EventCode in ("4765", "4766", "4662"), "HIGH", "MEDIUM"))
| table _messageTime, _sourceHost, EventCode, AlertType, Severity, SubjectUser,
        SubjectDomain, TargetUser, TargetDomain, SIDAdded, IsPrivilegedSID, ObjectDN
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Security Event Log (Sumo Logic Installed Collector, Windows Event Log Source targeting Security channel) Active Directory Domain Controller security events forwarded via Sumo Logic collector

Required Tables

_sourceCategory=*Windows*Security*

False Positives

ADMT running during approved domain migration projects — generates high-volume Event 4765 entries where SubjectUser matches the migration service account; suppress using a lookup table of authorized migration accounts and active project windows
Third-party AD sync tools (Quest Migration Manager, Binary Tree ADConnect, Imanami Group ID) that populate sIDHistory for cross-forest resource access — appear as Event 4662 bursts originating from known tool servers; filter by _sourceHost matching migration infrastructure hostnames
PowerShell-based identity governance runbooks using Set-ADUser with the SIDHistory parameter during forest restructuring — validate by correlating SubjectUser against your privileged account inventory and active RFC/change ticket numbers

Google Chronicle / SecOps

yaral

rule T1134_005_SID_History_Injection {
  meta:
    author = "df00tech"
    description = "Detects SID-History Injection via Windows Security Events 4765/4766, LDAP sIDHistory attribute writes captured by Event 4662, and execution of known SID injection tooling including Mimikatz sid::add, Empire, DCShadow, and PowerShell ADSI approaches"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1134.005"
    reference = "https://attack.mitre.org/techniques/T1134/005/"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    $e.metadata.vendor_name = "Microsoft"
    (
      $e.metadata.product_event_type = "4765"
      or
      $e.metadata.product_event_type = "4766"
      or (
        $e.metadata.product_event_type = "4662"
        and re.regex(
          $e.target.resource.name,
          `(?i)sIDHistory`
        )
      )
      or (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex(
          $e.target.process.command_line,
          `(?i)(MISC::AddSid|sid::add|sIDHistory|sidHistory|Add-SIDHistory|DCShadow|Invoke-DCshadow|Set-ADUser.{0,60}sIDHistory)`
        )
      )
      or (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex(
          $e.target.process.file.full_path,
          `(?i)\\mimikatz\.exe$`
        )
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Windows Security Event Log ingested via Chronicle Windows Event Log forwarder Microsoft Defender for Endpoint process events via Chronicle-MDE integration (Google Security Operations) Active Directory audit events via Chronicle Google Cloud AD forwarder

Required Tables

UDM events with metadata.product_event_type in [4765, 4766, 4662] from Microsoft Security Auditing UDM PROCESS_LAUNCH events from Microsoft endpoint telemetry sources

False Positives

Legitimate ADMT or enterprise migration tool execution during approved M&A or domain consolidation projects — product_event_type 4765 fires for every account processed at scale; correlate principal.user.userid against a Chronicle reference list of authorized migration service accounts
Authorized red team exercises using Mimikatz or custom SID injection tooling — validate target.process.file.full_path and principal.ip against approved assessment asset lists and scheduled maintenance windows recorded in your ITSM integration
PowerShell identity management runbooks from privileged workstations using Add-SIDHistory during forest restructuring — the command_line match on 'sIDHistory' will trigger; apply allowlist logic on principal.hostname matching known PAW or jump server inventory

CrowdStrike LogScale (CQL)

cql

// Detect SID-History Injection across Falcon process telemetry and Windows Security Event Log
union(
  // Branch 1: SID injection tooling via Falcon ProcessRollup2 endpoint telemetry
  {
    #event_simpleName = ProcessRollup2
    | CommandLine = /(?i)(MISC::AddSid|sid::add|sIDHistory|sidHistory|Add-SIDHistory|DCShadow|Invoke-DCshadow|Set-ADUser.{0,60}sIDHistory)/
      OR ImageFileName = /(?i)\\mimikatz\.exe$/
    | eval(
        AlertBranch = "SID Injection Tool Execution",
        Severity = "CRITICAL"
      )
    | table(
        [_time, ComputerName, UserName, UserSid,
         ImageFileName, CommandLine,
         ParentBaseFileName, SHA256HashData,
         AlertBranch, Severity]
      )
  },
  // Branch 2: Windows Security Events 4765 and 4766 — SID-History modification
  {
    #event_simpleName = EventLog
    | EventID in [4765, 4766]
    | eval(
        AlertBranch = if(
          EventID = 4765,
          "SID History Added to Account",
          "Failed SID History Add Attempt"
        ),
        Severity = "HIGH"
      )
    | table(
        [_time, ComputerName, EventID,
         SubjectUserName, SubjectDomainName,
         TargetUserName, TargetDomainName,
         SidHistory, AlertBranch, Severity]
      )
  },
  // Branch 3: Event 4662 — LDAP sIDHistory attribute write
  {
    #event_simpleName = EventLog
    | EventID = 4662
    | EventData = /(?i)sIDHistory/
    | eval(
        AlertBranch = "sIDHistory LDAP Attribute Write",
        Severity = "HIGH"
      )
    | table(
        [_time, ComputerName, EventID,
         SubjectUserName, ObjectName,
         EventData, AlertBranch, Severity]
      )
  }
)
| sort(field = _time, order = desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Sensor process telemetry (ProcessRollup2 events — no additional configuration required) Windows Security Event Log forwarded to Falcon LogScale via Falcon Log Collector or CrowdStrike Falcon Data Replicator with Windows Event Log collection enabled on Domain Controllers

Required Tables

ProcessRollup2 (Falcon sensor telemetry — requires Falcon Prevent or Insight subscription) EventLog (Windows Security Event Log via Falcon Log Collector — requires log collection configuration on Domain Controllers)

False Positives

Authorized ADMT or enterprise directory migration processes — the CommandLine or EventData will contain 'sIDHistory' legitimately; build a suppression watchlist in Falcon containing authorized migration service account UserSid values and migration server ComputerName entries
PowerShell-based identity governance automation that calls Set-ADUser with SIDHistory parameter during approved forest restructuring — filter by ParentBaseFileName matching expected management console processes (powershell_ise.exe, devenv.exe) from known PAW hostnames
Red team exercises using Mimikatz or custom implants that trigger ProcessRollup2 matches — validate ComputerName and UserName against the authorized assessment scope defined in your Falcon Fusion workflow or response policy exclusions

Last updated: 2026-04-20 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/Theft T1134.002Create Process with Token T1134.003Make and Impersonate Token T1134.004Parent PID Spoofing

SID-History Injection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections