Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
Sigma rule (View on GitHub)
1title: Addition of SID History to Active Directory Object
2id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
3status: stable
4description: An attacker can use the SID history attribute to gain additional privileges.
5references:
6 - https://adsecurity.org/?p=1772
7author: Thomas Patzke, @atc_project (improvements)
8date: 2017-02-19
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1134.005
14logsource:
15 product: windows
16 service: security
17detection:
18 selection1:
19 EventID:
20 - 4765
21 - 4766
22 selection2:
23 EventID: 4738
24 selection3:
25 SidHistory:
26 - '-'
27 - '%%1793'
28 filter_null:
29 SidHistory:
30 condition: selection1 or (selection2 and not selection3 and not filter_null)
31falsepositives:
32 - Migration of an account into a new domain
33level: medium
References
-
The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts SID History is ...
Read More
Related rules
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Key Pair Import Activity