Detect SID-History Injection in Sumo Logic CSE
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute, allowing inter-operable account migration between domains. With Domain Administrator (or equivalent) rights, harvested or well-known SID values may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.005 SID-History Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1134/005/
Sumo Detection Query
_sourceCategory=*Windows*Security* (4765 OR 4766 OR 4662)
| parse regex "(?i)EventID\\s*>\\s*(?<EventCode>\\d+)" nodrop
| parse regex "(?i)SubjectUserName\\s*>\\s*(?<SubjectUser>[^<]+)<" nodrop
| parse regex "(?i)SubjectDomainName\\s*>\\s*(?<SubjectDomain>[^<]+)<" nodrop
| parse regex "(?i)TargetUserName\\s*>\\s*(?<TargetUser>[^<]+)<" nodrop
| parse regex "(?i)TargetDomainName\\s*>\\s*(?<TargetDomain>[^<]+)<" nodrop
| parse regex "(?i)SidHistory\\s*>\\s*(?<SIDAdded>[^<]+)<" nodrop
| parse regex "(?i)ObjectName\\s*>\\s*(?<ObjectDN>[^<]+)<" nodrop
| where EventCode = "4765"
OR EventCode = "4766"
OR (EventCode = "4662" AND matches(_raw, "(?i)sIDHistory"))
| eval AlertType = if(EventCode = "4765", "SID History Added",
if(EventCode = "4766", "Failed SID History Add",
"sIDHistory LDAP Attribute Write"))
| eval IsPrivilegedSID = if(matches(SIDAdded, ".*(-(512|519|518|516|520)|S-1-5-32-(544|548)).*"), "YES", "NO")
| eval Severity = if(IsPrivilegedSID = "YES", "CRITICAL",
if(EventCode in ("4765", "4766", "4662"), "HIGH", "MEDIUM"))
| table _messageTime, _sourceHost, EventCode, AlertType, Severity, SubjectUser,
SubjectDomain, TargetUser, TargetDomain, SIDAdded, IsPrivilegedSID, ObjectDN
| sort by _messageTime descDetects SID-History Injection in Sumo Logic by parsing Windows Security Event XML from log messages ingested via a Sumo Logic Installed Collector with Windows Event Log source. The initial keyword filter (4765 OR 4766 OR 4662) provides index-level pre-filtering before pipeline processing. The query parses EventID, SubjectUser, SubjectDomain, TargetUser, TargetDomain, SIDAdded, and ObjectDN from the XML-formatted Windows event payload using named-capture regex with nodrop to handle optional fields gracefully. The 4662 branch applies an additional _raw regex check for 'sIDHistory' to avoid matching unrelated Directory Service access events. IsPrivilegedSID evaluates whether the injected SID belongs to a high-value group (RID -512 Domain Admins, -519 Enterprise Admins, -518 Schema Admins, -516 Domain Controllers, -520 Group Policy Creator Owners, S-1-5-32-544 Builtin Administrators, S-1-5-32-548 Account Operators) and escalates severity to CRITICAL accordingly. Requires Windows Security audit policy with Audit Account Management and Audit Directory Service Access enabled.
Data Sources
Required Tables
False Positives & Tuning
- ADMT running during approved domain migration projects — generates high-volume Event 4765 entries where SubjectUser matches the migration service account; suppress using a lookup table of authorized migration accounts and active project windows
- Third-party AD sync tools (Quest Migration Manager, Binary Tree ADConnect, Imanami Group ID) that populate sIDHistory for cross-forest resource access — appear as Event 4662 bursts originating from known tool servers; filter by _sourceHost matching migration infrastructure hostnames
- PowerShell-based identity governance runbooks using Set-ADUser with the SIDHistory parameter during forest restructuring — validate by correlating SubjectUser against your privileged account inventory and active RFC/change ticket numbers
Other platforms for T1134.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Accounts with SID-History (Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing 'SIDHistory' and 'Get-ADUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full cmdlet. Security Event ID 4662 (Directory Service Access) may fire on Domain Controllers for LDAP query operations against user objects if Directory Service Access auditing is enabled at Success level.
- Test 2Verify DC Audit Policy for SID-History Detection Coverage
Expected signal: Sysmon Event ID 1: Process Create for auditpol.exe. No Security events generated by this test — output is console-only. If any subcategory returns 'No Auditing', the corresponding event IDs will never fire and you have a detection gap that must be remediated.
- Test 3Mimikatz MISC::AddSid Command-Line Pattern Simulation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'MISC::AddSid', 'privilege::debug', and a SID value matching the Enterprise Admins RID pattern (-519). Security Event ID 4688 (Process Creation) with the same CommandLine if command-line auditing is enabled via GPO. Note: Event 4765 will NOT fire for this simulated test — it only fires during actual Mimikatz execution against a live DC with Domain Admin rights.
- Test 4PowerShell ADSI SID-History Injection Attempt via Set-ADUser
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'sIDHistory', 'Set-ADUser', and 'Import-Module ActiveDirectory'. PowerShell ScriptBlock Log Event ID 4104 captures the full script including the synthetic SID value. If Domain Admin rights are present and the command succeeds: Security Event ID 4765 fires on the Domain Controller (SID History added) with the synthetic SID. If Domain Admin rights are absent: Security Event ID 4766 may fire (failed SID History add attempt). Security Event ID 4662 (Directory Service Access) fires on the DC for the LDAP write attempt regardless of success.
References (12)
- https://attack.mitre.org/techniques/T1134/005/
- https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
- https://msdn.microsoft.com/library/ms679833.aspx
- https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
- https://technet.microsoft.com/library/ee617241.aspx
- https://adsecurity.org/?p=1772
- https://msdn.microsoft.com/library/ms677982.aspx
- https://adsecurity.org/?p=1640
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
- https://github.com/gentilkiwi/mimikatz
- https://github.com/EmpireProject/Empire
Unlock Pro Content
Get the full detection package for T1134.005 including response playbook, investigation guide, and atomic red team tests.