T1134.005 Splunk · SPL

Detect SID-History Injection in Splunk

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1134 Access Token Manipulation
Sub-technique
T1134.005 SID-History Injection
Canonical reference
https://attack.mitre.org/techniques/T1134/005/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4765 OR EventCode=4766 OR EventCode=4662)
| eval AlertType=case(
    EventCode=4765, "SID History Added to Account",
    EventCode=4766, "Failed SID History Add Attempt",
    EventCode=4662 AND match(EventData, "sIDHistory"), "sIDHistory Attribute Write (LDAP)",
    1=1, null()
  )
| where isnotnull(AlertType)
| rex field=EventData "SubjectUserName">(?<SubjectUser>[^<]+)<"
| rex field=EventData "SubjectDomainName">(?<SubjectDomain>[^<]+)<"
| rex field=EventData "TargetUserName">(?<TargetUser>[^<]+)<"
| rex field=EventData "TargetDomainName">(?<TargetDomain>[^<]+)<"
| rex field=EventData "SidHistory">(?<SIDAdded>[^<]+)<"
| rex field=EventData "ObjectName">(?<ObjectDN>[^<]+)<"
| eval IsPrivilegedSID=if(
    match(coalesce(SIDAdded,""), "(-512|-519|-518|-516|-520|S-1-5-32-544|S-1-5-32-548)"),
    "YES", "NO"
  )
| eval Severity=case(
    EventCode=4765 AND IsPrivilegedSID="YES", "CRITICAL",
    EventCode=4765, "HIGH",
    EventCode=4766, "HIGH",
    EventCode=4662, "HIGH",
    1=1, "MEDIUM"
  )
| eval IsMigrationTool=if(
    match(coalesce(SubjectUser,""), "(?i)(admt|migration|svc_mig|quest|binarytree)"),
    "Yes", "No"
  )
| table _time, host, EventCode, AlertType, Severity, SubjectUser, SubjectDomain,
        TargetUser, TargetDomain, SIDAdded, IsPrivilegedSID, ObjectDN, IsMigrationTool
| sort - _time
critical severity high confidence

Detects SID-History Injection using Windows Security Event IDs 4765 (SID History added — success), 4766 (SID History add — failed), and 4662 (AD object access with sIDHistory attribute write). These events are generated on Domain Controllers and require Advanced Audit Policy: Audit User Account Management (Success+Failure) for 4765/4766 and Audit Directory Service Access (Success) for 4662. The IsPrivilegedSID field flags injections using high-value group SIDs (Domain Admins -512, Enterprise Admins -519, Schema Admins -518, Built-in Admins S-1-5-32-544). The IsMigrationTool field helps analysts quickly identify common false positive sources from AD migration service accounts.

Data Sources

Active Directory: Active Directory Object ModificationUser Account: User Account MetadataWindows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives & Tuning

  • Legitimate Active Directory domain consolidations or migrations using Microsoft ADMT (Active Directory Migration Tool), which intentionally populates sIDHistory to preserve resource access for migrated accounts
  • Third-party AD migration tools (Quest Migration Manager, Binary Tree CMN, Dell Migration Manager) that use SID-History as part of their standard inter-domain migration workflow
  • Event 4766 (failed SID add) may appear when domain or forest functional level requirements for SID History are not met, such as when SID filtering is enforced on the domain trust
  • Authorized red team or penetration testing engagements with explicit Domain Admin access — coordinate with your security team to suppress during approved test windows
Download portable Sigma rule (.yml)

Other platforms for T1134.005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Accounts with SID-History (Reconnaissance)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'SIDHistory' and 'Get-ADUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full cmdlet. Security Event ID 4662 (Directory Service Access) may fire on Domain Controllers for LDAP query operations against user objects if Directory Service Access auditing is enabled at Success level.

  2. Test 2Verify DC Audit Policy for SID-History Detection Coverage

    Expected signal: Sysmon Event ID 1: Process Create for auditpol.exe. No Security events generated by this test — output is console-only. If any subcategory returns 'No Auditing', the corresponding event IDs will never fire and you have a detection gap that must be remediated.

  3. Test 3Mimikatz MISC::AddSid Command-Line Pattern Simulation

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'MISC::AddSid', 'privilege::debug', and a SID value matching the Enterprise Admins RID pattern (-519). Security Event ID 4688 (Process Creation) with the same CommandLine if command-line auditing is enabled via GPO. Note: Event 4765 will NOT fire for this simulated test — it only fires during actual Mimikatz execution against a live DC with Domain Admin rights.

  4. Test 4PowerShell ADSI SID-History Injection Attempt via Set-ADUser

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'sIDHistory', 'Set-ADUser', and 'Import-Module ActiveDirectory'. PowerShell ScriptBlock Log Event ID 4104 captures the full script including the synthetic SID value. If Domain Admin rights are present and the command succeeds: Security Event ID 4765 fires on the Domain Controller (SID History added) with the synthetic SID. If Domain Admin rights are absent: Security Event ID 4766 may fire (failed SID History add attempt). Security Event ID 4662 (Directory Service Access) fires on the DC for the LDAP write attempt regardless of success.

Last updated: 2026-04-20 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1134.003Make and Impersonate TokenT1134.004Parent PID Spoofing

Related Techniques

T1134Access Token ManipulationT1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1207Rogue Domain ControllerT1003.006DCSyncT1098Account ManipulationT1136Create AccountT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1550.003Pass the Ticket

Same Tactic: Defense Evasion

Popular Detections