Detect SID-History Injection in Google Chronicle
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.005 SID-History Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1134/005/
YARA-L Detection Query
rule T1134_005_SID_History_Injection {
meta:
author = "df00tech"
description = "Detects SID-History Injection via Windows Security Events 4765/4766, LDAP sIDHistory attribute writes captured by Event 4662, and execution of known SID injection tooling including Mimikatz sid::add, Empire, DCShadow, and PowerShell ADSI approaches"
mitre_attack_tactic = "Privilege Escalation"
mitre_attack_technique = "T1134.005"
reference = "https://attack.mitre.org/techniques/T1134/005/"
severity = "CRITICAL"
confidence = "HIGH"
created = "2026-04-20"
events:
$e.metadata.vendor_name = "Microsoft"
(
$e.metadata.product_event_type = "4765"
or
$e.metadata.product_event_type = "4766"
or (
$e.metadata.product_event_type = "4662"
and re.regex(
$e.target.resource.name,
`(?i)sIDHistory`
)
)
or (
$e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex(
$e.target.process.command_line,
`(?i)(MISC::AddSid|sid::add|sIDHistory|sidHistory|Add-SIDHistory|DCShadow|Invoke-DCshadow|Set-ADUser.{0,60}sIDHistory)`
)
)
or (
$e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex(
$e.target.process.file.full_path,
`(?i)\\mimikatz\.exe$`
)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting SID-History Injection across UDM-normalized events from Microsoft log sources. The rule fires on any single matching event across five branches: (1) product_event_type 4765 — SID History successfully added to an account, mapped to UDM USER_CHANGE; (2) product_event_type 4766 — failed SID History add attempt; (3) product_event_type 4662 with sIDHistory regex match on target.resource.name, capturing Directory Service access events where the sIDHistory LDAP attribute is written; (4) PROCESS_LAUNCH events where target.process.command_line matches known SID injection tool arguments including Mimikatz sid::add, PowerShell Add-SIDHistory, DCShadow cmdlets, and ADSI approaches; (5) PROCESS_LAUNCH events matching the Mimikatz binary name in target.process.file.full_path. The vendor_name anchor reduces cross-platform noise. For elevated-privilege SID correlation (checking if the injected SID resolves to Domain Admins or Enterprise Admins), chain this rule with a reference list lookup on known privileged SID prefixes via a YARA-L 2.0 reference_list or a downstream SIEM alert enrichment step.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate ADMT or enterprise migration tool execution during approved M&A or domain consolidation projects — product_event_type 4765 fires for every account processed at scale; correlate principal.user.userid against a Chronicle reference list of authorized migration service accounts
- Authorized red team exercises using Mimikatz or custom SID injection tooling — validate target.process.file.full_path and principal.ip against approved assessment asset lists and scheduled maintenance windows recorded in your ITSM integration
- PowerShell identity management runbooks from privileged workstations using Add-SIDHistory during forest restructuring — the command_line match on 'sIDHistory' will trigger; apply allowlist logic on principal.hostname matching known PAW or jump server inventory
Other platforms for T1134.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Accounts with SID-History (Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'SIDHistory' and 'Get-ADUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full cmdlet. Security Event ID 4662 (Directory Service Access) may fire on Domain Controllers for LDAP query operations against user objects if Directory Service Access auditing is enabled at Success level.
- Test 2Verify DC Audit Policy for SID-History Detection Coverage
Expected signal: Sysmon Event ID 1: Process Create for auditpol.exe. No Security events generated by this test — output is console-only. If any subcategory returns 'No Auditing', the corresponding event IDs will never fire and you have a detection gap that must be remediated.
- Test 3Mimikatz MISC::AddSid Command-Line Pattern Simulation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'MISC::AddSid', 'privilege::debug', and a SID value matching the Enterprise Admins RID pattern (-519). Security Event ID 4688 (Process Creation) with the same CommandLine if command-line auditing is enabled via GPO. Note: Event 4765 will NOT fire for this simulated test — it only fires during actual Mimikatz execution against a live DC with Domain Admin rights.
- Test 4PowerShell ADSI SID-History Injection Attempt via Set-ADUser
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'sIDHistory', 'Set-ADUser', and 'Import-Module ActiveDirectory'. PowerShell ScriptBlock Log Event ID 4104 captures the full script including the synthetic SID value. If Domain Admin rights are present and the command succeeds: Security Event ID 4765 fires on the Domain Controller (SID History added) with the synthetic SID. If Domain Admin rights are absent: Security Event ID 4766 may fire (failed SID History add attempt). Security Event ID 4662 (Directory Service Access) fires on the DC for the LDAP write attempt regardless of success.
References (12)
- https://attack.mitre.org/techniques/T1134/005/
- https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
- https://msdn.microsoft.com/library/ms679833.aspx
- https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
- https://technet.microsoft.com/library/ee617241.aspx
- https://adsecurity.org/?p=1772
- https://msdn.microsoft.com/library/ms677982.aspx
- https://adsecurity.org/?p=1640
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
- https://github.com/gentilkiwi/mimikatz
- https://github.com/EmpireProject/Empire
Unlock Pro Content
Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.