SOC Event Lookup
Event ID 4766AccountMgmtP2

Windows Event ID 4766: An attempt to add SID History to an account failed

Windows Security Event ID 4766 records a failed attempt to add a SID to the SID History attribute of an Active Directory account, logging the Subject who attempted the change, the Target Account to be modified, and the Source Account whose SID was to be injected.

Applicable version
Windows Server 2008 R2 and later
Last reviewed
2026-07-12

Trigger Scenarios

SID History additions are a specialized migration operation requiring domain-level privilege. A failed attempt is generated when an attacker lacks the necessary rights, when SID filtering blocks the attempted cross-forest SID, or when a deliberate probe tests whether the operation would succeed before attempting it with different credentials.

Key Fields

Target Account\Account Name / Security ID

The account that was the intended recipient of the injected SID. Targeting a highly-privileged account (Domain Admins member, Krbtgt, or an admin service account) signals an attempt to grant that account the access rights of the Source Account's SID.

Source Account\Account Name

The account whose SID was to be injected into Target Account's SID History. If Source Account Name belongs to a domain admin, Enterprise Admin, or a privileged service account in another domain, the attacker intended to grant Target Account those cross-domain rights silently.

Subject\Account Name / Security ID

The identity that attempted the modification. This event fires because the attempt failed, so Subject may be a low-privilege account probing the operation; cross-reference with any 4765 (success) records nearby to check whether a subsequent attempt with elevated credentials succeeded.

Common False Positives

  • Active Directory migration tools (Quest Migration Manager, ADMT) legitimately write SID History during planned forest migrations and will generate 4766 during configuration testing if privileges are not yet in place.
  • Accidental permission misconfigurations during migration projects can cause expected failures from authorized tools.

Related Events

MITRE ATT&CK Mapping

  • T1134.005Access Token Manipulation: SID-History Injection

Detection Notes

Event 4766 has no status or failure-code field. Treat a Source Account from a different domain or a privileged name such as Enterprise Admins, followed by a matching 4765 for the same Target Account within 60 minutes, as a T1134.005 SID-History Injection probe and retry sequence. Use window=60 minutes to correlate a failed 4766 with a subsequent 4765.

Microsoft Sentinel KQL
SecurityEvent
| where EventID in (4766, 4765)
| project TimeGenerated, Computer, EventID, SubjectUserName, TargetUserName, SubjectUserSid
| order by TimeGenerated asc
Splunk SPL
index=wineventlog EventCode IN (4766, 4765)
| table _time, host, EventCode, SubjectUserName, TargetUserName
Sample Log
Subject:
  Security ID: CORP\lowpriv
  Account Name: lowpriv
  Account Domain: CORP
  Logon ID: 0x91A2F0
Target Account:
  Security ID: CORP\svc-ops
  Account Name: svc-ops
  Account Domain: CORP
Source Account:
  Account Name: Enterprise Admins
Additional Information:
  Privileges: -

Source