Try in Splunk Security Cloud

Description

This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration.

  • Type: TTP

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2023-11-07
  • Author: Dean Luxton
  • ID: 6b521149-b91c-43aa-ba97-c2cac59ec830

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1134.005 SID-History Injection Defense Evasion, Privilege Escalation
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
Kill Chain Phase
  • Exploitation
NIST
  • DE.CM
CIS20
  • CIS 10
CVE 


1
2
3
4
5
6
7
8
9
10



`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) 
| rex field=SidHistory "(^%{
|^)(?P<SidHistory>.*?)(}$
|$)" 
| eval category="privileged" 
| lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match 
| where isnotnull(match) 
| rename TargetSid as userSid 
| table _time action status host user userSid SidHistory Logon_ID src_user 
| `windows_ad_privileged_account_sid_history_addition_filter`

Macros

The SPL above uses the following Macros:

:information_source: windows_ad_privileged_account_sid_history_addition_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • EventCode
  • SidHistory
  • TargetSid
  • TargetDomainName
  • user
  • src_user
  • Logon_ID

How To Implement

Ensure you have objectSid and the Down Level Logon Name DOMAIN\sAMACountName added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies Audit User Account Management and Audit Computer Account Management under Account Management are required to generate these event codes.

Known False Positives

Migration of privileged accounts.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
90.0 100 90 A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2