Detection of unauthorized modification of Active Directory SID-History attributes to escalate privileges. This chain involves: (1) privileged operations or API calls to DsAddSidHistory or related AD modification functions, (2) observed attribute changes in SID-History (Event ID 5136), (3) new logon sessions where the token includes unexpected or privileged SID-History values, and (4) follow-on resource access using elevated privileges derived from SID-History injection.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | WinEventLog:Security | EventCode=5136 |
| User Account Metadata (DC0013) | WinEventLog:Security | EventCode=4720, 4738 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Directory-Services-SAM | api_call: Calls to DsAddSidHistory or related RPC operations |
| Field | Description |
|---|---|
| AllowedSIDHistoryChanges | Approved migration windows or known SID-History population events. |
| TimeWindow | Correlation window between attribute change and suspicious logon activity (default 15–30 minutes). |
| PrivilegedSIDList | List of sensitive SIDs (e.g., Enterprise Admins, Domain Admins) that should never appear in SID-History. |
| UserContextFilter | Exclude trusted migration service accounts or pre-approved administrative tasks. |
| AnomalousSIDCountThreshold | Raise alerts when a token contains more than X SID-History entries (default X=2). |