4675 SIDs were filtered
Written when SIDs are filtered (excluded) for an Active Directory trust. It shows the operation of the mechanism that prevents privileges from being illicitly carried across a trust.
Overview
The subcategory is Audit Logon. It is generated when SID filtering takes effect for a specific AD trust (a relationship in which one domain/forest accepts authentication from another). SID filtering removes, from an access token brought in from the trusting side, any SID that does not belong to the trusted domain, preventing privilege escalation that abuses SID History.
How it is triggered
- When a SID subject to filtering is excluded during authentication across a trust.
- It occurs in environments that have domain/forest trusts with SID filtering enabled.
Security review points
- A record that SID filtering took effect can indicate that a privilege SID (especially a privileged group’s SID) that should not be carried across the trust was being brought in. It can relate to an attempt at cross-trust privilege escalation abusing
SID History. - Check which trust and which SID was excluded, and review whether the trust configuration (filtering enabled/disabled) is appropriate.
Notes for log review
- It only carries meaning in environments with trusts. Without forest/domain trusts it basically does not appear.
- A one-off is often configuration-induced. If it concentrates on a specific trust or SID, investigate with related logs, keeping the possibility of an attack in view.
Key fields
| Field | Meaning |
|---|---|
Subject | The related subject |
| Filtered SID information | The excluded SID |
Glossary
- SID History — an attribute that carries an old SID over during account migration. Abused, it can inject privileged SIDs across a trust, which is why SID filtering blocks it.