Windows AD Cross Domain SID History Addition

Status: production
Severity: medium
Author: Dean Luxton
Source: github.com/splunk/security_content

The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1134.005` Access Token Manipulation: SID-History Injection
Stealth	`T1134.005` Access Token Manipulation: SID-History Injection

Event coverage

Provider	Event	Title
Security-Auditing	Event ID 4738	A user account was changed.
Security-Auditing	Event ID 4742	A computer account was changed.

Rule body splunk

name: Windows AD Cross Domain SID History Addition
id: 41bbb371-28ba-439c-bb5c-d9930c28365d
version: 12
creation_date: '2022-09-08'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.
data_source:
    - Windows Event Log Security 4742
    - Windows Event Log Security 4738
search: '`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P<SidHistoryMatch>.*)(\-|\\\)" | rex field=TargetSid "^(?P<TargetSidmatch>.*)(\-|\\\)" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user dest | `windows_ad_cross_domain_sid_history_addition_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and  `Audit Computer Account Management` within `Account Management` all need to be enabled.
known_false_positives: Domain mergers and migrations may generate large volumes of false positives for this analytic.
references:
    - https://adsecurity.org/?p=1772
    - https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN
    - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute
drilldown_searches:
    - name: View the detection results for - "$src_user$" and "$user$"
      search: '%original_detection_search% | search  src_user = "$src_user$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_user$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Active Directory SID History Attribute was added to $user$ by $src_user$
    entity:
        field: src_user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 50
          message: Active Directory SID History Attribute was added to $user$ by $src_user$
analytic_story:
    - Compromised Windows Host
    - Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
    - T1134.005
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: `search`

`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -)

Stage 2: `rex`

| rex field=SidHistory "(^%{|^)(?P<SidHistoryMatch>.*)(\-|\\\)"

Stage 3: `rex`

| rex field=TargetSid "^(?P<TargetSidmatch>.*)(\-|\\\)"

Stage 4: `where`

| where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName

Stage 5: `rename`

| rename TargetSid as userSid

Stage 6: `table`

| table _time action status host user userSid SidHistory Logon_ID src_user dest

Stage 7: `search`

| `windows_ad_cross_domain_sid_history_addition_filter`

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`SidHistory`	in	`"%%1793"`, `-`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`4738` corpus 6 (splunk 4, elastic 1, kusto 1) `4742` corpus 6 (splunk 6)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Windows AD Cross Domain SID History Addition

MITRE ATT&CK coverage

Event coverage

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `rex`

Stage 3: `rex`

Stage 4: `where`

Stage 5: `rename`

Stage 6: `table`

Stage 7: `search`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Windows AD Cross Domain SID History Addition

MITRE ATT&CK coverage

Event coverage

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: rex

Stage 3: rex

Stage 4: where

Stage 5: rename

Stage 6: table

Stage 7: search

Exclusions

Indicators

Stage 1: `search`

Stage 2: `rex`

Stage 3: `rex`

Stage 4: `where`

Stage 5: `rename`

Stage 6: `table`

Stage 7: `search`