SOC Event Lookup
Event ID 4765AccountMgmtP1

Windows Event ID 4765: SID History was added to an account

Windows Security Event ID 4765 records addition of SID History to an account, a rare operation with significant privilege implications.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

A domain controller logs the event when an SID is added to the sIDHistory attribute of an account, typically during approved domain migration.

Key Fields

Target Account

The account receiving SID History. Resolve its current domain role and group memberships.

SID History

The historical SID added to the account. A privileged SID can grant inherited access across resources.

Subject

The account performing the modification. This should normally be a controlled migration process.

Common False Positives

  • Approved Active Directory migration projects legitimately add SID History.
  • Test migrations can generate the event in lab or staging domains.

Related Events

MITRE ATT&CK Mapping

  • T1098Account Manipulation

Detection Notes

T1098 SID-History Injection is indicated when SID History ends in -512 (Domain Admins) or -519 (Enterprise Admins). Those RID values grant inherited ACL access without current group membership; validate migration authorization and later 4624 access. Use window=60 minutes to correlate the SID History change with subsequent logons.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4765
| project TimeGenerated, Computer, Account, TargetAccount, SidHistory
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4765
| table _time, host, SubjectUserName, TargetUserName, SidHistory
Sample Log
Subject: CORP\migration.service
Target Account: CORP\jsmith
SID History: S-1-5-21-REDACTED-512

Source