Detect SID-History Injection in CrowdStrike LogScale
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.005 SID-History Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1134/005/
LogScale Detection Query
// Detect SID-History Injection across Falcon process telemetry and Windows Security Event Log
union(
// Branch 1: SID injection tooling via Falcon ProcessRollup2 endpoint telemetry
{
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(MISC::AddSid|sid::add|sIDHistory|sidHistory|Add-SIDHistory|DCShadow|Invoke-DCshadow|Set-ADUser.{0,60}sIDHistory)/
OR ImageFileName = /(?i)\\mimikatz\.exe$/
| eval(
AlertBranch = "SID Injection Tool Execution",
Severity = "CRITICAL"
)
| table(
[_time, ComputerName, UserName, UserSid,
ImageFileName, CommandLine,
ParentBaseFileName, SHA256HashData,
AlertBranch, Severity]
)
},
// Branch 2: Windows Security Events 4765 and 4766 — SID-History modification
{
#event_simpleName = EventLog
| EventID in [4765, 4766]
| eval(
AlertBranch = if(
EventID = 4765,
"SID History Added to Account",
"Failed SID History Add Attempt"
),
Severity = "HIGH"
)
| table(
[_time, ComputerName, EventID,
SubjectUserName, SubjectDomainName,
TargetUserName, TargetDomainName,
SidHistory, AlertBranch, Severity]
)
},
// Branch 3: Event 4662 — LDAP sIDHistory attribute write
{
#event_simpleName = EventLog
| EventID = 4662
| EventData = /(?i)sIDHistory/
| eval(
AlertBranch = "sIDHistory LDAP Attribute Write",
Severity = "HIGH"
)
| table(
[_time, ComputerName, EventID,
SubjectUserName, ObjectName,
EventData, AlertBranch, Severity]
)
}
)
| sort(field = _time, order = desc)CrowdStrike Falcon LogScale (Next-Gen SIEM) detection using union() across three independent branches. Branch 1 leverages native Falcon ProcessRollup2 endpoint telemetry — the richest telemetry source — matching Mimikatz binary name or command-line patterns for known SID injection techniques including sid::add, Add-SIDHistory, DCShadow, and PowerShell ADSI manipulation; SHA256HashData is included for IOC correlation and hash reputation lookups. Branch 2 targets Windows Security Events 4765 and 4766 forwarded to LogScale via the Falcon Log Collector or CrowdStrike Falcon Data Replicator with Windows Event Log collection enabled; fields SubjectUserName, TargetUserName, and SidHistory are expected as parsed event properties depending on DSM configuration. Branch 3 covers Event 4662 filtered by EventData regex for 'sIDHistory', capturing LDAP-layer attribute writes that occur when sIDHistory is modified via ADSI, LDP, or ADMT. Note: the 'EventLog' event_simpleName assumes Windows Security Events are ingested via the Falcon Log Connector using EventLog as the simpleName; adjust to match your specific ingest configuration if different (e.g., 'WinEventLog' or a custom simpleName). Branch 1 (Falcon sensor telemetry) functions without Windows Event Log collection enabled and should always be active.
Data Sources
Required Tables
False Positives & Tuning
- Authorized ADMT or enterprise directory migration processes — the CommandLine or EventData will contain 'sIDHistory' legitimately; build a suppression watchlist in Falcon containing authorized migration service account UserSid values and migration server ComputerName entries
- PowerShell-based identity governance automation that calls Set-ADUser with SIDHistory parameter during approved forest restructuring — filter by ParentBaseFileName matching expected management console processes (powershell_ise.exe, devenv.exe) from known PAW hostnames
- Red team exercises using Mimikatz or custom implants that trigger ProcessRollup2 matches — validate ComputerName and UserName against the authorized assessment scope defined in your Falcon Fusion workflow or response policy exclusions
Other platforms for T1134.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Accounts with SID-History (Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'SIDHistory' and 'Get-ADUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full cmdlet. Security Event ID 4662 (Directory Service Access) may fire on Domain Controllers for LDAP query operations against user objects if Directory Service Access auditing is enabled at Success level.
- Test 2Verify DC Audit Policy for SID-History Detection Coverage
Expected signal: Sysmon Event ID 1: Process Create for auditpol.exe. No Security events generated by this test — output is console-only. If any subcategory returns 'No Auditing', the corresponding event IDs will never fire and you have a detection gap that must be remediated.
- Test 3Mimikatz MISC::AddSid Command-Line Pattern Simulation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'MISC::AddSid', 'privilege::debug', and a SID value matching the Enterprise Admins RID pattern (-519). Security Event ID 4688 (Process Creation) with the same CommandLine if command-line auditing is enabled via GPO. Note: Event 4765 will NOT fire for this simulated test — it only fires during actual Mimikatz execution against a live DC with Domain Admin rights.
- Test 4PowerShell ADSI SID-History Injection Attempt via Set-ADUser
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'sIDHistory', 'Set-ADUser', and 'Import-Module ActiveDirectory'. PowerShell ScriptBlock Log Event ID 4104 captures the full script including the synthetic SID value. If Domain Admin rights are present and the command succeeds: Security Event ID 4765 fires on the Domain Controller (SID History added) with the synthetic SID. If Domain Admin rights are absent: Security Event ID 4766 may fire (failed SID History add attempt). Security Event ID 4662 (Directory Service Access) fires on the DC for the LDAP write attempt regardless of success.
References (12)
- https://attack.mitre.org/techniques/T1134/005/
- https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
- https://msdn.microsoft.com/library/ms679833.aspx
- https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
- https://technet.microsoft.com/library/ee617241.aspx
- https://adsecurity.org/?p=1772
- https://msdn.microsoft.com/library/ms677982.aspx
- https://adsecurity.org/?p=1640
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
- https://github.com/gentilkiwi/mimikatz
- https://github.com/EmpireProject/Empire
Unlock Pro Content
Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.