This detection rule monitors for unauthorized changes to the Security Identifier (SID) history of Active Directory (AD) objects, which could indicate an attacker attempting to escalate privileges by adding SID history from a trusted account. The rule triggers an alert when specific Windows Security Event IDs are logged, particularly those related to the modification of user accounts. Event IDs 4765 and 4766 correspond to the addition or modification of SID history, while Event ID 4738 indicates an alteration in the user account properties. The rule defines conditions under which these events might occur, filtering out legitimate scenarios such as account migrations to new domains. Legitimacy checks include examining the presence of SID history and conditional exclusions for specific events. By monitoring these events, cybersecurity teams can detect potential privilege escalation attempts that leverage SID history manipulation, which can be pivotal in maintaining the integrity and security of AD environments.