4830 SID History was removed from an account
Written when SID History is removed from an account. Paired with addition 4765, it tracks SID History changes. It is a relatively recently added event.
Overview
The subcategory is Audit User Account Management. It is generated when a SID is removed from an account’s sIDHistory attribute. SID History is a legitimate migration feature, but abused it is a means to quietly inherit privileged SIDs (see 4765), so its removal also carries meaning as part of the change history.
How it is triggered
- Removal of SID History during post-migration cleanup.
- When an administrator or response team removes illicitly injected SID History.
Security review points
- It can be a record of detecting and removing illicit SID History (an injection of privileged SIDs). In incident response, the flow is to investigate 4765/4766 and then confirm the removal via 4830.
- On the other hand, an attacker may delete the SID History they planted to cover tracks. Check the removed SID and the subject.
Notes for log review
- It is normally rare. Paired with addition 4765, build the grant-to-removal history of SID History.
- If the removed SID belonged to a privileged group, it suggests an injection may have occurred earlier, so scrutinize the surrounding logs.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The account SID History was removed from |
| Removed SID | The removed inherited SID |
Subject\Account Name | The subject that performed the operation |