This detection rule monitors for changes made to the sIDHistory attribute of user or computer objects in a Windows Active Directory environment, specifically looking for alterations that could indicate unauthorized access or privilege escalation attempts. Utilizing Windows Security Event Codes 4738 (a user account was modified) and 4742 (a computer account was modified), it identifies when the sIDHistory field is updated. The sIDHistory attribute, when misused, allows attackers to gain permissions from another account, thereby potentially maintaining persistent access or elevating their privileges within the domain. Effective implementation of this detection requires the relevant event logs to be ingested and specific auditing policies to be enforced.