This detection rule identifies modifications made to the sIDHistory attribute in Active Directory using Windows Event Log Security event code 5136. The sIDHistory attribute can be manipulated by attackers to gain unauthorized access by inheriting permissions from other accounts, thus allowing for privilege escalation and persistent access within a domain. The detection mechanism relies on the ingestion of security logs to monitor any changes to the sIDHistory field, which are indicative of potential malicious activity. Implementing this rule requires enabling the Advanced Security Audit policy for Directory Services Changes and creating a suitable SACL for AD objects. It is important to be aware of legitimate operations such as domain mergers and migrations which may trigger false positives in this analytic.