Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0383: Analytic 0383

Detection of unauthorized modification of Active Directory SID-History attributes to escalate privileges. This chain involves: (1) privileged operations or API calls to DsAddSidHistory or related AD modification functions, (2) observed attribute changes in SID-History (Event ID 5136), (3) new logon sessions where the token includes unexpected or privileged SID-History values, and (4) follow-on resource access using elevated privileges derived from SID-History injection.

EnterpriseAN0383AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0383 focuses on detecting unauthorized changes to Active Directory SID-History attributes, a Windows identity behavior that can let an account receive privileges through historical SIDs rather than through obvious group membership changes. For leaders, the value is not just spotting an AD attribute edit; it is validating whether the organization can prove when identity data was changed, whether a resulting logon token carried unexpected privilege, and whether elevated access was then used against resources.

Executive priority

Prioritize this as an identity control and incident-response readiness issue. If SID-History changes are not monitored and correlated with logon and resource-access activity, privilege escalation may be missed in environments that otherwise watch for group membership changes. Executives and risk owners should ask whether Active Directory change auditing, privileged operation review, and evidence retention are sufficient to support containment decisions, audit inquiries, and post-incident privilege reconstruction.

Technical view

For Windows Active Directory environments, validate the full detection chain described by MITRE: privileged operations or API calls associated with DsAddSidHistory or related AD modification functions; directory attribute changes to SID-History, especially Windows Event ID 5136; new logon sessions where the resulting token includes unexpected or privileged SID-History values; and follow-on resource access that appears to rely on elevated privileges derived from SID-History injection. Because no ATT&CK tactic or relationship context is supplied, teams should treat this analytic as identity telemetry correlation rather than a standalone alert.

Likely telemetry

  • Active Directory directory service change logs, including Event ID 5136 for SID-History attribute changes
  • Records of privileged AD operations or API activity involving DsAddSidHistory or related AD modification functions
  • Windows logon session evidence showing token contents or SIDs associated with the authenticated user
  • Resource access logs that show follow-on access using elevated privileges
  • Identity baselines for expected SID-History values and accounts where SID-History is legitimately present

Detection direction

  • Confirm that SID-History attribute changes are actually collected, retained, and searchable across relevant domain controllers.
  • Correlate attribute modification events with the account performing the change, the target account, subsequent logons, token SID contents, and resource access.
  • Tune for unexpected or privileged SID-History values rather than treating every SID-History presence as malicious; legitimate migration history may create false positives.
  • Validate that monitoring does not stop at group membership changes, because this behavior may present as privilege through token SID content instead.
  • Review whether SOC playbooks can distinguish an authorized administrative or migration-related change from an unauthorized privilege escalation path.

Mitigation priorities

  • Restrict and review permissions capable of modifying sensitive Active Directory attributes, including SID-History.
  • Maintain approved-use records for legitimate SID-History changes so detections can be triaged against known administrative activity.
  • Ensure directory service change auditing and log retention support investigation of who changed the attribute, when, and what access followed.
  • Add incident-response procedures for validating token SIDs and resource access after suspicious SID-History changes.
  • Periodically review accounts with SID-History values, especially where those values map to privileged access.
Analyst notes and limits

The supplied object is a detection analytic for Windows and describes a correlation chain around SID-History modification, logon token contents, and follow-on access. No relationships, ATT&CK tactics, aliases, or explicit detection text beyond the description were supplied, so this take emphasizes validation of telemetry and process rather than mapping to a broader intrusion pattern.

This assessment is limited to the official STIX fields, external reference, and the provided description. It does not establish prevalence, adversary attribution, active exploitation, impact, or existing detection coverage in any environment. Local AD architecture, audit policy, log retention, and legitimate SID-History usage are required to determine practical risk and detection fidelity.

Official MITRE ATT&CK definition

Analytic 0383

Detection of unauthorized modification of Active Directory SID-History attributes to escalate privileges. This chain involves: (1) privileged operations or API calls to DsAddSidHistory or related AD modification functions, (2) observed attribute changes in SID-History (Event ID 5136), (3) new logon sessions where the token includes unexpected or privileged SID-History values, and (4) follow-on resource access using elevated privileges derived from SID-History injection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a3455d6dec20d538...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a3455d6dec20…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0383
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use