Windows Event ID 4765: SID History was added to an account
Windows Security Event ID 4765 records addition of SID History to an account, a rare operation with significant privilege implications.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
A domain controller logs the event when an SID is added to the sIDHistory attribute of an account, typically during approved domain migration.
Key Fields
Target Account
The account receiving SID History. Resolve its current domain role and group memberships.
SID History
The historical SID added to the account. A privileged SID can grant inherited access across resources.
Subject
The account performing the modification. This should normally be a controlled migration process.
Common False Positives
- Approved Active Directory migration projects legitimately add SID History.
- Test migrations can generate the event in lab or staging domains.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
Detection Notes
T1098 SID-History Injection is indicated when SID History ends in -512 (Domain Admins) or -519 (Enterprise Admins). Those RID values grant inherited ACL access without current group membership; validate migration authorization and later 4624 access. Use window=60 minutes to correlate the SID History change with subsequent logons.
SecurityEvent
| where EventID == 4765
| project TimeGenerated, Computer, Account, TargetAccount, SidHistory
| order by TimeGenerated descindex=wineventlog EventCode=4765
| table _time, host, SubjectUserName, TargetUserName, SidHistorySubject: CORP\migration.service
Target Account: CORP\jsmith
SID History: S-1-5-21-REDACTED-512