Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0005 ✕ technique: T1134 ✕
Show ATT&CK heatmapUser added SID History to an account Informational Identity Analytics 1 variation
A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.Variations
Suspicious SID History Addition
Medium overridden
A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden