Event ID 4766 — An attempt to add SID History to an account failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An attempt to add SID History to an account failed.

Message #

An attempt to add SID History to an account failed.

Subject:
	Security ID:
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %4
	Account Name: %2
	Account Domain: %3

Source Account
	Account Name: %1

Additional Information:
	Privileges: %8

Fields #

Name	Description
`Account_Name` UnicodeString	[Target Account] Account Name.
`Account_Name` UnicodeString	[Target Account] Account Name.
`Account_Domain` UnicodeString	[Target Account] Account Domain.
`Security_ID` UnicodeString	[Target Account] Security ID.
`Account_Name` UnicodeString	[Security ID] Account Name.
`Account_Domain` UnicodeString	[Security ID] Account Domain.
`Logon_ID` UnicodeString	[Security ID] Logon ID.
`Privileges` UnicodeString	[Additional Information] Privileges. Privilege constants reference
`SourceUserName` UnicodeString	[Target Account] Account Name
`TargetUserName` UnicodeString	[Target Account] Account Name
`TargetDomainName` UnicodeString	[Target Account] Account Domain
`TargetSid` UnicodeString	[Target Account] Security ID
`SubjectUserName` UnicodeString	[Security ID] Account Name
`SubjectDomainName` UnicodeString	[Security ID] Account Domain
`SubjectLogonId` UnicodeString	[Security ID] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

Detection Patterns #

Defense Evasion: SID-History Injection

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4765: SID History was added to an account.OREvent ID 4766: An attempt to add SID History to an account failed.

1 rule

Sigma

Addition of SID History to Active Directory Object (source)

Thomas Patzke, @atc_project (improvements)

Community Notes #

May indicate DCShadow or similar lateral movement attacks.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4766