T1134.005 Elastic Security · Elastic

Detect SID-History Injection in Elastic Security

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1134 Access Token Manipulation
Sub-technique
T1134.005 SID-History Injection
Canonical reference
https://attack.mitre.org/techniques/T1134/005/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  /* Branch 1: Direct SID-History modification events on Domain Controllers */
  (
    event.provider == "Microsoft-Windows-Security-Auditing"
    and event.code in ("4765", "4766")
  )
  or
  /* Branch 2: AD Object modification with sIDHistory attribute write via LDAP (Event 4662) */
  (
    event.provider == "Microsoft-Windows-Security-Auditing"
    and event.code == "4662"
    and winlog.event_data.Properties like~ "*sIDHistory*"
  )
  or
  /* Branch 3: Known SID injection tooling — Mimikatz, Empire, PowerShell ADSI */
  (
    event.category : "process"
    and event.type : "start"
    and (
      process.command_line like~ (
        "*MISC::AddSid*",
        "*sid::add*",
        "*sIDHistory*",
        "*sidHistory*",
        "*Add-SIDHistory*",
        "*DCShadow*",
        "*Invoke-DCshadow*",
        "*Set-ADUser*sIDHistory*"
      )
      or process.name like~ "mimikatz.exe"
    )
  )
)
critical severity high confidence

Detects SID-History Injection via three branches using Elastic ECS field mappings: (1) Windows Security Events 4765 (SID History added successfully) and 4766 (failed attempt), fired by the Domain Controller when sIDHistory is manipulated — requires Account Management audit policy; (2) Event 4662 filtered on winlog.event_data.Properties containing 'sIDHistory', capturing LDAP-layer attribute writes — requires Directory Service Access auditing and SACL on the domain NC; (3) Process creation events matching Mimikatz binary name or command-line patterns associated with sid::add, Add-SIDHistory, DCShadow, and PowerShell ADSI manipulation. Branch 3 covers Sysmon Event ID 1 (event.code == '1') and Windows Security Event 4688, both normalized to event.category=process / event.type=start by Elastic Agent. Privileged SID detection (S-1-5-21-*-512/-519/-518) should be evaluated in a subsequent enrichment step using the winlog.event_data.SidHistory field.

Data Sources

Windows Security Event Log via Elastic Agent (logs-windows.security-*) or Winlogbeat (winlogbeat-*)Endpoint process telemetry via Elastic Defend or Sysmon + Winlogbeat (logs-endpoint.events.process-*)

Required Tables

logs-windows.security-*winlogbeat-*logs-endpoint.events.process-*

False Positives & Tuning

  • Active Directory Migration Tool (ADMT) running during authorized inter-domain or inter-forest migrations — generates Event 4765 for every account processed; correlate SubjectUserName against known migration service accounts and active change tickets
  • Quest Migration Manager, Binary Tree ADConnect, or similar enterprise directory consolidation tools that write sIDHistory for cross-domain resource access continuity — these generate Event 4662 with sIDHistory in Properties at scale during project windows
  • Authorized red team or penetration testing exercises simulating T1134.005 via Mimikatz or PowerShell ADSI — validate process.name, host.name, and timing against approved assessment scope and maintenance windows in your ITSM
Download portable Sigma rule (.yml)

Other platforms for T1134.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Accounts with SID-History (Reconnaissance)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'SIDHistory' and 'Get-ADUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full cmdlet. Security Event ID 4662 (Directory Service Access) may fire on Domain Controllers for LDAP query operations against user objects if Directory Service Access auditing is enabled at Success level.

  2. Test 2Verify DC Audit Policy for SID-History Detection Coverage

    Expected signal: Sysmon Event ID 1: Process Create for auditpol.exe. No Security events generated by this test — output is console-only. If any subcategory returns 'No Auditing', the corresponding event IDs will never fire and you have a detection gap that must be remediated.

  3. Test 3Mimikatz MISC::AddSid Command-Line Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'MISC::AddSid', 'privilege::debug', and a SID value matching the Enterprise Admins RID pattern (-519). Security Event ID 4688 (Process Creation) with the same CommandLine if command-line auditing is enabled via GPO. Note: Event 4765 will NOT fire for this simulated test — it only fires during actual Mimikatz execution against a live DC with Domain Admin rights.

  4. Test 4PowerShell ADSI SID-History Injection Attempt via Set-ADUser

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'sIDHistory', 'Set-ADUser', and 'Import-Module ActiveDirectory'. PowerShell ScriptBlock Log Event ID 4104 captures the full script including the synthetic SID value. If Domain Admin rights are present and the command succeeds: Security Event ID 4765 fires on the Domain Controller (SID History added) with the synthetic SID. If Domain Admin rights are absent: Security Event ID 4766 may fire (failed SID History add attempt). Security Event ID 4662 (Directory Service Access) fires on the DC for the LDAP write attempt regardless of success.

Last updated: 2026-04-20 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1134.003Make and Impersonate TokenT1134.004Parent PID Spoofing

Related Techniques

T1134Access Token ManipulationT1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1207Rogue Domain ControllerT1003.006DCSyncT1098Account ManipulationT1136Create AccountT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1550.003Pass the Ticket

Same Tactic: Defense Evasion

Popular Detections