HUNTS- SID-History Injection (T1178)
HUNTS- SID-History Injection (T1178)
Version 1.0
ATT&CK Technique: SID-History Injection (T1178)
What this playbook hunts for:
-
Modification of a user’s SID history, which can enable an attacker in a Windows environment to escalate their privileges to arbitrary users or groups.
How the playbook works:
-
Generates SIEM query for Windows Event Code 4765 or 4766 logs, which are indicative of successful or attempted SID-history changes.
-
Generates SIEM query for Sysmon Event ID 1 logs containing command line arguments indicative of Mimikatz being used to add or change a user’s SID.
What results are expected:
-
Name, process ID, and path of Mimikatz process
-
Execution time
-
MD5 hash of the executed process
-
Hostname of the computer where Mimikatz was executed
-
User account which launched Mimikatz
-
Source and Target accounts for SID-history manipulation
Common follow-on actions:
-
Quarantine host
-
Enumerate Logged In Users
-
Disable AD Accounts
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 1: Process creation
-
Logs: Windows Event Log IDs 4765 and 4766
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
-
Create User from Alert (Host)
-
Link Asset to Alert (POST-CREATE)
-
Create Indicators from MITRE Alert (Process and Hash)
-
Deduplicate Comments (Hunt)
What configurations are needed:
-
Sysmon logging enabled to include logging Event IDs 1
False Positive Potential: Low
-
Windows Event Log IDs 4765 and 4766 rarely fire in most environments, and should be investigated and understood if they do.
-
Detection of Mimikatz's command line arguments is fairly straightforward