{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sidhistory/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["sidhistory","active-directory","privilege-escalation","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe sIDHistory attribute in Active Directory is a legacy feature that allows users migrating between domains to retain access to resources in their old domain. Attackers can abuse this attribute to grant unauthorized access by injecting SIDs from highly privileged accounts into the sIDHistory of a compromised account. This injection allows the compromised account to inherit the permissions of the privileged account, effectively escalating privileges and potentially achieving domain dominance. This brief focuses on detecting modifications to the sIDHistory attribute within the same domain, which is often indicative of malicious activity, using Windows Security Event Codes 4738 and 4742. The activity allows for persistent access or privilege escalation within the domain, posing a severe security risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user account or computer on the domain. This could be achieved through phishing, credential theft, or exploiting a vulnerability on a domain-joined machine.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates their privileges on the compromised machine, often using local privilege escalation techniques like exploiting misconfigured services or vulnerable drivers.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like Mimikatz to obtain credentials for a domain account with sufficient privileges to modify Active Directory attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the sIDHistory attribute of a target account within the same domain, injecting the SID of a highly privileged account (e.g., Domain Admins). This is done using command-line tools or PowerShell scripts that interact with the Active Directory API.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the domain with the target account. The Kerberos ticket generated for the target account now includes the injected SID in its authorization data.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses resources or performs actions that require the privileges associated with the injected SID. Because the Kerberos ticket contains the SID of the privileged account, the attacker is granted access.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access by ensuring the injected SID remains in the sIDHistory attribute, even after the initial compromise is remediated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to escalate privileges, gain unauthorized access to sensitive resources, and establish persistent access within the Active Directory domain. This can lead to data breaches, service disruptions, and complete compromise of the domain infrastructure. The scope of impact is potentially domain-wide, affecting all resources and users managed by the compromised Active Directory.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Security Event Logs for Event Codes 4738 and 4742 to detect modifications to the sIDHistory attribute as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AD sIDHistory Attribute Modification - Same Domain\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and restrict the accounts that have permissions to modify the sIDHistory attribute in Active Directory.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected sIDHistory modifications within the same domain to determine if they are legitimate or malicious. Use \u003ccode\u003eWindows AD Same Domain SID History Addition\u003c/code\u003e search to investigate potential malicious activity.\u003c/li\u003e\n\u003cli\u003eRegularly audit Active Directory for unauthorized changes to user and computer accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:59:56Z","date_published":"2026-05-28T17:59:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windows-ad-sid-history-addition/","summary":"This analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain using Windows Security Event Codes 4738 and 4742, which can be abused by adversaries to gain unauthorized access, maintain persistence, or escalate privileges by inheriting permissions from another account.","title":"Windows AD sIDHistory Attribute Modification Detection","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-ad-sid-history-addition/"}],"language":"en","title":"CraftedSignal Threat Feed — Sidhistory","version":"https://jsonfeed.org/version/1.1"}