Event ID 4759 — A security-disabled universal group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

A security-disabled universal group was created.

Message #

A security-disabled universal group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`Group_Name` UnicodeString	[Group] Group Name.
`Group_Domain` UnicodeString	[Group] Group Domain.
`Security_ID` SID	[Group] Security ID.
`Security_ID` SID	[Subject] Security ID.
`Account_Name` UnicodeString	[Subject] Account Name.
`Account_Domain` UnicodeString	[Subject] Account Domain.
`Logon_ID` HexInt64	[Subject] Logon ID.
`Privileges` UnicodeString	[Additional Information] Privileges. Privilege constants reference
`SAM_Account_Name` UnicodeString	[Attributes] SAM Account Name.
`SID_History` UnicodeString	[Attributes] SID History.
`TargetUserName` UnicodeString	[Group] Group Name
`TargetDomainName` UnicodeString	[Group] Group Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference
`SamAccountName` UnicodeString	[Attributes] SAM Account Name
`SidHistory` UnicodeString	[Attributes] SID History

Detection Patterns #

Persistence: Domain Account

Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.

1 rule

Splunk

Windows Privileged Group Modification (source)

Brandon Sternfield, Optiv + ClearShark

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4759
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4759