Event ID 4732 — A member was added to a security-enabled local group.
Description
A member was added to a security-enabled local group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name. |
MemberSid SID | [Member] Security ID. |
TargetUserName UnicodeString | [Group] Group Name. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4732,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:35.063652+00:00",
"event_record_id": 2788,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"TargetUserName": "Administrators",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-544",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4756: A member was added to a security-enabled universal group.
3 rules
Kusto Query Language
Security-Auditing Event ID 4720: A user account was created.→Event ID 4732: A member was added to a security-enabled local group.
2 rules
Kusto Query Language
Persistence: Account Manipulation
Defender-DeviceEvents Event ID 9007007: User account added to local group→Security-Auditing Event ID 4732: A member was added to a security-enabled local group.
1 rule
Kusto Query Language
Persistence: Local Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4732: A member was added to a security-enabled local group.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- User Added to Local Administrator Group source medium: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
Splunk # view in reference
- Windows DnsAdmins New Member Added source: The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
- Example event sourced from https://github.com/NextronSystems/evtx-baseline