Detect SID-History Injection in Microsoft Sentinel
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.005 SID-History Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1134/005/
KQL Detection Query
// Branch 1: Direct SID-History modification events on Domain Controllers
// Event 4765: SID History was added to an account (SUCCESS)
// Event 4766: An attempt to add SID History to an account failed
let SIDHistoryModEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4765, 4766)
| extend EventType = iff(EventID == 4765, "SID History Added", "SID History Add Failed")
| extend SubjectUser = extract(@"SubjectUserName">([^<]+)<", 1, EventData)
| extend SubjectDomain = extract(@"SubjectDomainName">([^<]+)<", 1, EventData)
| extend TargetUser = extract(@"TargetUserName">([^<]+)<", 1, EventData)
| extend TargetDomain = extract(@"TargetDomainName">([^<]+)<", 1, EventData)
| extend SIDAdded = extract(@"SidHistory">([^<]+)<", 1, EventData)
| extend IsPrivilegedSID = SIDAdded has_any ("-512", "-519", "-518", "-516", "-520", "S-1-5-32-544", "S-1-5-32-548")
| project TimeGenerated, Computer, EventID, EventType, SubjectUser, SubjectDomain,
TargetUser, TargetDomain, SIDAdded, IsPrivilegedSID, EventData
| extend AlertBranch = "SID-History Modification Event", Severity = iff(IsPrivilegedSID, "Critical", "High");
// Branch 2: AD Object modification targeting sIDHistory attribute via LDAP write (Event 4662)
let ADObjectSIDHistory = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4662
| where EventData has "sIDHistory"
| extend SubjectUser = extract(@"SubjectUserName">([^<]+)<", 1, EventData)
| extend ObjectDN = extract(@"ObjectName">([^<]+)<", 1, EventData)
| project TimeGenerated, Computer, EventID, SubjectUser, ObjectDN, EventData
| extend AlertBranch = "sIDHistory Attribute Write (LDAP)", Severity = "High",
EventType = "Directory Service Attribute Write";
// Branch 3: Known SID injection tooling — Mimikatz, Empire, and PowerShell ADSI approaches
let SIDInjectionTooling = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"MISC::AddSid", "sid::add", "sIDHistory", "sidHistory",
"Add-SIDHistory", "DCShadow", "Invoke-DCshadow",
"Set-ADUser.*sIDHistory"
)
or FileName =~ "mimikatz.exe"
| extend AlertBranch = "SID Injection Tool Execution"
| extend Severity = "Critical"
| extend EventType = "Process Creation"
| project TimeGenerated = Timestamp, Computer = DeviceName, EventID = 4688, EventType,
SubjectUser = AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AlertBranch, Severity;
// Union all branches
SIDHistoryModEvents
| union ADObjectSIDHistory
| union SIDInjectionTooling
| sort by TimeGenerated descDetects SID-History Injection attacks using three detection branches: (1) Security Event IDs 4765/4766 — logged exclusively on Domain Controllers when SID-History is added or an attempt fails. The IsPrivilegedSID flag identifies injections targeting Domain Admins (RID -512), Enterprise Admins (RID -519), Schema Admins (RID -518), or Built-in Administrators (S-1-5-32-544). (2) Security Event ID 4662 — Active Directory object access events where the sIDHistory attribute is written via LDAP. (3) DeviceProcessEvents — Mimikatz MISC::AddSid module, Empire Add-SIDHistory, DCShadow tooling, and PowerShell ADSI manipulation patterns. Requires Advanced Audit Policy: Audit User Account Management (Success+Failure) for Events 4765/4766; Audit Directory Service Access (Success) for Event 4662.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Active Directory domain consolidations or migrations using Microsoft ADMT (Active Directory Migration Tool), which intentionally populates sIDHistory to preserve resource access for migrated accounts
- Third-party AD migration tools (Quest Migration Manager, Binary Tree CMN, Dell Migration Manager) that use SID-History as part of their standard inter-domain migration workflow
- Event 4766 (failed SID add) may appear when domain or forest functional level requirements for SID History are not met, such as when SID filtering is enforced on the domain trust
- Authorized red team or penetration testing engagements with explicit Domain Admin access — coordinate with your security team to suppress during approved test windows
Other platforms for T1134.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Accounts with SID-History (Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'SIDHistory' and 'Get-ADUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full cmdlet. Security Event ID 4662 (Directory Service Access) may fire on Domain Controllers for LDAP query operations against user objects if Directory Service Access auditing is enabled at Success level.
- Test 2Verify DC Audit Policy for SID-History Detection Coverage
Expected signal: Sysmon Event ID 1: Process Create for auditpol.exe. No Security events generated by this test — output is console-only. If any subcategory returns 'No Auditing', the corresponding event IDs will never fire and you have a detection gap that must be remediated.
- Test 3Mimikatz MISC::AddSid Command-Line Pattern Simulation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'MISC::AddSid', 'privilege::debug', and a SID value matching the Enterprise Admins RID pattern (-519). Security Event ID 4688 (Process Creation) with the same CommandLine if command-line auditing is enabled via GPO. Note: Event 4765 will NOT fire for this simulated test — it only fires during actual Mimikatz execution against a live DC with Domain Admin rights.
- Test 4PowerShell ADSI SID-History Injection Attempt via Set-ADUser
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'sIDHistory', 'Set-ADUser', and 'Import-Module ActiveDirectory'. PowerShell ScriptBlock Log Event ID 4104 captures the full script including the synthetic SID value. If Domain Admin rights are present and the command succeeds: Security Event ID 4765 fires on the Domain Controller (SID History added) with the synthetic SID. If Domain Admin rights are absent: Security Event ID 4766 may fire (failed SID History add attempt). Security Event ID 4662 (Directory Service Access) fires on the DC for the LDAP write attempt regardless of success.
References (12)
- https://attack.mitre.org/techniques/T1134/005/
- https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
- https://msdn.microsoft.com/library/ms679833.aspx
- https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
- https://technet.microsoft.com/library/ee617241.aspx
- https://adsecurity.org/?p=1772
- https://msdn.microsoft.com/library/ms677982.aspx
- https://adsecurity.org/?p=1640
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
- https://github.com/gentilkiwi/mimikatz
- https://github.com/EmpireProject/Empire
Unlock Pro Content
Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.