SigmaHQ/rules/windows/builtin/win_susp_add_sid_history.yml
2019-12-03 14:28:46 +01:00

30 lines
779 B
YAML

title: Addition of SID History to Active Directory Object
id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
references:
- https://adsecurity.org/?p=1772
author: Thomas Patzke, @atc_project (improvements)
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1178
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- '-'
- '%%1793'
condition: selection1 or (selection2 and not selection3)
falsepositives:
- Migration of an account into a new domain
level: medium