Semperis DSP Well-known privileged SIDs in sIDHistory

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This indicator looks for security principals that contain specific SIDs of accounts from built-in privileged groups within their sIDHistory attribute. This would allow those security principals to have the same privileges as those privileged accounts, but in a way that is not obvious to monitor (e.g. through group membership).

Attribute	Value
Type	Analytic Rule
Solution	Semperis Directory Services Protector
ID	ddd75d93-5b8b-4349-babe-c4e15343c5a3
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	PrivilegeEscalation, DefenseEvasion
Techniques	T1134
Required Connectors	SemperisDSP
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityEvent	EventID in "9208,9211,9212"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Semperis Directory Services Protector