4765 SID History was added to an account
Written when SID History is added to an account. SID History is a legitimate migration feature, but abused it can quietly inherit privileged SIDs, so it is used for attack-side privilege escalation and persistence.
Overview
The subcategory is Audit User Account Management. It is generated when a SID is added to an account’s sIDHistory attribute. Its proper purpose is to carry over an old domain’s SID during a domain migration to preserve resource access.
How it is triggered
- Legitimate SID History assignment by a domain migration tool (such as ADMT).
- A technique where an attacker uses
mimikatzor similar to inject a privileged group’s SID (such as Domain Admins) into a target account’ssIDHistory.
Security review points
- SID History injection is powerful persistence and privilege escalation. Planting the Domain Admins SID into an ordinary user’s
sIDHistorygrants admin rights without changing group membership directly (without producing 4732, etc.). Because it is hard to detect, treat the occurrence of 4765 itself as significant. - Strongly suspect it if 4765 appears with no domain-migration plan, or if the added SID belongs to a privileged group.
Notes for log review
- It normally almost never occurs. Investigate a 4765 with no legitimate context (such as a migration project) at high priority.
- Check what the added SID refers to (whether a privileged group). Read it together with the failure version 4766.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The account SID History was added to |
Source Account / added SID | The inherited SID (check whether privileged) |
Subject\Account Name | The subject that performed the operation |
Glossary
- SID History — an attribute that carries over a source account’s SID. Abused, it can inherit privileges without joining a group.