detection.wiki

Microsoft-Windows-Security-Auditing › Event 4627

Event ID 4627 — Group membership information.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Logon/Logoff → Group Membership
Collection Priority
Recommended (ASD, others)
Opcode
Info

Description

Group membership information.

Message #

Group membership information.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Type: %9

New Logon:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Event in sequence: %10 of %11

Group Membership: %12

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

Fields #

NameDescription
SubjectUserSid SID[Subject] Security ID. Indicates the account on the local system which requested the logon.
SubjectUserName UnicodeString[Subject] Account Name. Indicates the account on the local system which requested the logon.
SubjectDomainName UnicodeString[Subject] Account Domain. Indicates the account on the local system which requested the logon.
SubjectLogonId HexInt64[Subject] Logon ID. Indicates the account on the local system which requested the logon.
TargetUserSid SID[New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
TargetUserName UnicodeString[New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
TargetDomainName UnicodeString[New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
TargetLogonId HexInt64[New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
LogonType UInt32[Subject] Logon Type. Indicates the account on the local system which requested the logon. Logon type reference
EventIdx UInt32[New Logon] Event in sequence. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
EventCountTotal UInt32of
GroupMembership UnicodeString[New Logon] Group Membership. Indicates the account for whom the new logon was created, i.e. the account that was logged on.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4627,
    "version": 0,
    "level": 0,
    "task": 12554,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T02:00:32.200180+00:00",
    "event_record_id": 310791,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 16720
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "TargetUserSid": "S-1-5-18",
    "TargetUserName": "SYSTEM",
    "TargetDomainName": "NT AUTHORITY",
    "TargetLogonId": "0x3e7",
    "LogonType": 5,
    "EventIdx": 1,
    "EventCountTotal": 1,
    "GroupMembership": "\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-16-16384}"
  },
  "message": ""
}

Community Notes #

Shows the full AD group list for every successful logon (useful to detect changes in privileges).

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Windows Domain Admin Impersonation Indicator source: The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.

References #