title: Addition of SID History to Active Directory Object id: 2632954e-db1c-49cb-9936-67d1ef1d17d2 status: stable description: An attacker can use the SID history attribute to gain additional privileges. references: - https://adsecurity.org/?p=1772 author: Thomas Patzke, @atc_project (improvements) date: 2017/02/19 tags: - attack.persistence - attack.privilege_escalation - attack.t1178 # an old one - attack.t1134.005 logsource: product: windows service: security detection: selection1: EventID: - 4765 - 4766 selection2: EventID: 4738 selection3: SidHistory: - '-' - '%%1793' filter_null: SidHistory: condition: selection1 or (selection2 and not selection3 and not filter_null) falsepositives: - Migration of an account into a new domain level: medium