Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0005 ✕ technique: T1134 ✕

Show ATT&CK heatmap
  • User added SID History to an account Informational Identity Analytics 1 variation

    A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.
    Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.

    Variations

    Suspicious SID History Addition

    Medium overridden

    A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden