Detect SID-History Injection in IBM QRadar
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.005 SID-History Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1134/005/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
logsourcename(logsourceid) AS LogSource,
LOGSOURCETYPENAME(devicetype) AS LogSourceType,
"EventID" AS WindowsEventID,
username AS SubjectUser,
QIDNAME(qid) AS QRadarEventName,
CASE
WHEN "EventID" = '4765' THEN 'SID History Added to Account'
WHEN "EventID" = '4766' THEN 'Failed SID History Add Attempt'
WHEN "EventID" = '4662' THEN 'sIDHistory LDAP Attribute Write'
ELSE 'SID Injection Tool Detected in Payload'
END AS AlertType,
CASE
WHEN "EventID" = '4765'
AND (
payload ILIKE '%-512%'
OR payload ILIKE '%-519%'
OR payload ILIKE '%-518%'
OR payload ILIKE '%-516%'
OR payload ILIKE '%-520%'
OR payload ILIKE '%S-1-5-32-544%'
OR payload ILIKE '%S-1-5-32-548%'
) THEN 'CRITICAL'
WHEN "EventID" IN ('4765', '4766', '4662') THEN 'HIGH'
ELSE 'CRITICAL'
END AS Severity,
sourceip AS SourceIP,
payload
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) ILIKE '%Windows Security%'
AND (
"EventID" IN ('4765', '4766')
OR (
"EventID" = '4662'
AND payload ILIKE '%sIDHistory%'
)
OR (
payload ILIKE '%MISC::AddSid%'
OR payload ILIKE '%sid::add%'
OR payload ILIKE '%Add-SIDHistory%'
OR payload ILIKE '%DCShadow%'
OR payload ILIKE '%Invoke-DCshadow%'
OR payload ILIKE '%mimikatz%'
)
)
ORDER BY starttime DESC
LAST 24 HOURSDetects SID-History Injection using QRadar AQL against the Windows Security Event Log DSM. The query targets three detection branches: Events 4765 and 4766 matched directly via the normalized 'EventID' custom property; Event 4662 filtered by payload ILIKE '%sIDHistory%' to isolate Directory Service object modifications that touch the sIDHistory attribute; and free-text payload matching against known SID injection tool signatures (Mimikatz, DCShadow, Empire, PowerShell ADSI). The CASE-based severity escalates Event 4765 to CRITICAL when the raw payload contains well-known privileged group RID suffixes (-512 Domain Admins, -519 Enterprise Admins, -518 Schema Admins, -516 DC group, -520 GPO Creators, S-1-5-32-544 local Administrators, S-1-5-32-548 Account Operators). QRadar's Windows Security DSM must be configured to extract 'EventID' as a custom event property for the WHERE clause to function; alternatively replace with QIDNAME(qid) LIKE '%4765%' if EventID extraction is not enabled. Requires Windows Security audit policy with Audit Account Management and Audit Directory Service Access enabled on Domain Controllers.
Data Sources
Required Tables
False Positives & Tuning
- ADMT-based domain migrations triggered by IT Infrastructure teams during M&A integrations — service account names like 'admt_svc' or 'mig_admin' appearing in SubjectUser with high-volume 4765 events are expected; build a suppression reference set of authorized migration accounts
- Quest Migration Manager and Binary Tree ADConnect sync jobs writing sIDHistory for cross-forest access continuity — these appear as Event 4662 bursts from DC hostnames and known tool service accounts
- Authorized penetration testing payloads containing 'mimikatz' or 'DCShadow' strings — validate SourceIP and username against approved assessment scope defined in your QRadar offense suppression rules or reference sets
Other platforms for T1134.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Accounts with SID-History (Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'SIDHistory' and 'Get-ADUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full cmdlet. Security Event ID 4662 (Directory Service Access) may fire on Domain Controllers for LDAP query operations against user objects if Directory Service Access auditing is enabled at Success level.
- Test 2Verify DC Audit Policy for SID-History Detection Coverage
Expected signal: Sysmon Event ID 1: Process Create for auditpol.exe. No Security events generated by this test — output is console-only. If any subcategory returns 'No Auditing', the corresponding event IDs will never fire and you have a detection gap that must be remediated.
- Test 3Mimikatz MISC::AddSid Command-Line Pattern Simulation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'MISC::AddSid', 'privilege::debug', and a SID value matching the Enterprise Admins RID pattern (-519). Security Event ID 4688 (Process Creation) with the same CommandLine if command-line auditing is enabled via GPO. Note: Event 4765 will NOT fire for this simulated test — it only fires during actual Mimikatz execution against a live DC with Domain Admin rights.
- Test 4PowerShell ADSI SID-History Injection Attempt via Set-ADUser
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'sIDHistory', 'Set-ADUser', and 'Import-Module ActiveDirectory'. PowerShell ScriptBlock Log Event ID 4104 captures the full script including the synthetic SID value. If Domain Admin rights are present and the command succeeds: Security Event ID 4765 fires on the Domain Controller (SID History added) with the synthetic SID. If Domain Admin rights are absent: Security Event ID 4766 may fire (failed SID History add attempt). Security Event ID 4662 (Directory Service Access) fires on the DC for the LDAP write attempt regardless of success.
References (12)
- https://attack.mitre.org/techniques/T1134/005/
- https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
- https://msdn.microsoft.com/library/ms679833.aspx
- https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
- https://technet.microsoft.com/library/ee617241.aspx
- https://adsecurity.org/?p=1772
- https://msdn.microsoft.com/library/ms677982.aspx
- https://adsecurity.org/?p=1640
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
- https://github.com/gentilkiwi/mimikatz
- https://github.com/EmpireProject/Empire
Unlock Pro Content
Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.