KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 15 AD SID History Injection

Query

// =========================================================
// RULE-15 | AD-SIDHistory-Injection
// Description : SID History injection detection — Event 4765
//               (SID History Added) or Event 5136 (DS Object
//               Modified) modifying the sIDHistory attribute.
//               SID History allows an account to carry
//               additional SIDs in its Kerberos PAC.
//               Injecting an Enterprise Admins SID (RID-519)
//               or Domain Admins SID (RID-512) into any user
//               gives that user EA/DA privileges transparently.
//               This is the persistence mechanism used in
//               cross-forest attacks and post-DCSync
//               persistence.
// Severity    : Critical (EA/DA/BA SID injected)
//               High     (any cross-domain SID injected)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1134.005 — Token Impersonation/Theft:
//               SID-History Injection
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// High-value SID patterns
let SensitiveSIDPatterns = dynamic([
    "-512",   // Domain Admins
    "-519",   // Enterprise Admins
    "-518",   // Schema Admins
    "-500",   // Built-in Administrator
    "-544",   // Local Administrators
    "S-1-5-32-544"
]);

// Signal 1: Event 4765 — SID History Added (explicit event)
let Via4765 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4765
    | extend
        Source          = "Event4765_SIDHistoryAdded",
        ActorAccount    = strcat(SubjectDomainName, "\\", SubjectUserName),
        TargetAccount   = strcat(TargetDomainName,  "\\", TargetUserName),
        InjectedSIDs    = SidHistory
    | extend
        HasSensitiveSID = InjectedSIDs has_any (SensitiveSIDPatterns)
    | project TimeGenerated, Source, ActorAccount, TargetAccount,
              InjectedSIDs, HasSensitiveSID, Computer;

// Signal 2: Event 5136 — Direct attribute write to sIDHistory
let Via5136 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 5136
    | where AttributeLDAPDisplayName =~ "sIDHistory"
    | extend
        Source          = "Event5136_sIDHistory_Write",
        ActorAccount    = strcat(SubjectDomainName, "\\", SubjectUserName),
        TargetAccount   = ObjectDN,
        InjectedSIDs    = AttributeValue
    | extend
        HasSensitiveSID = InjectedSIDs has_any (SensitiveSIDPatterns)
    | project TimeGenerated, Source, ActorAccount, TargetAccount,
              InjectedSIDs, HasSensitiveSID, Computer;

union Via4765, Via5136
| extend
    Severity = case(
        HasSensitiveSID, "Critical",
        "High"
    ),
    WhySuspicious = strcat(
        "SIDHistory_Injected; ",
        iff(HasSensitiveSID, "Sensitive_SID_EA_DA_or_RID500; ", ""),
        "Target: ", TargetAccount, "; ",
        "Actor: ", ActorAccount, "; ",
        "SIDs: ", InjectedSIDs
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    ActorAccount,
    TargetAccount,
    InjectedSIDs,
    HasSensitiveSID,
    Source,
    Computer
| order by Severity asc, TimeGenerated desc

Explanation

This query is designed to detect suspicious activities related to SID History injection in a network environment. Here's a simplified breakdown:

  1. Purpose: The query aims to identify instances where a user account's SID History is modified, which could indicate unauthorized privilege escalation. Specifically, it looks for events where high-value SIDs, like those of Domain Admins or Enterprise Admins, are injected into a user's SID History.

  2. Events Monitored:

    • Event 4765: This event logs when a SID History is added to an account. The query checks for this event to see if any sensitive SIDs are included.
    • Event 5136: This event logs when the sIDHistory attribute is directly modified. The query looks for modifications to this attribute that include sensitive SIDs.

  3. Sensitive SIDs: The query focuses on specific SIDs that are considered high-value targets, such as those associated with administrative privileges.

  4. Severity Levels:

    • Critical: If sensitive SIDs (like those of Enterprise Admins or Domain Admins) are injected, the severity is marked as critical.
    • High: If any cross-domain SID is injected, the severity is marked as high.

  5. Frequency: The query runs every 15 minutes and looks back over the previous 15 minutes to catch recent events.

  6. Output: The results include details such as the time of the event, severity, reasons for suspicion, the accounts involved, and the computer where the event was logged. The results are sorted by severity and time.

Overall, this query helps in identifying potential security breaches where attackers might be trying to gain elevated privileges by manipulating SID History.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEvent

Operators

letdynamicagohas_anystrcatprojectunionextendcaseifforder bywhere=~==>

Actions