Skip to content

DET0136 Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)

Item Value
ID DET0136
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1134.005 (SID-History Injection)

Analytics

Windows

AN0383

Detection of unauthorized modification of Active Directory SID-History attributes to escalate privileges. This chain involves: (1) privileged operations or API calls to DsAddSidHistory or related AD modification functions, (2) observed attribute changes in SID-History (Event ID 5136), (3) new logon sessions where the token includes unexpected or privileged SID-History values, and (4) follow-on resource access using elevated privileges derived from SID-History injection.

Log Sources
Data Component Name Channel
Active Directory Object Modification (DC0066) WinEventLog:Security EventCode=5136
User Account Metadata (DC0013) WinEventLog:Security EventCode=4720, 4738
OS API Execution (DC0021) etw:Microsoft-Windows-Directory-Services-SAM api_call: Calls to DsAddSidHistory or related RPC operations
Mutable Elements
Field Description
AllowedSIDHistoryChanges Approved migration windows or known SID-History population events.
TimeWindow Correlation window between attribute change and suspicious logon activity (default 15–30 minutes).
PrivilegedSIDList List of sensitive SIDs (e.g., Enterprise Admins, Domain Admins) that should never appear in SID-History.
UserContextFilter Exclude trusted migration service accounts or pre-approved administrative tasks.
AnomalousSIDCountThreshold Raise alerts when a token contains more than X SID-History entries (default X=2).