Event ID 4908 — Special Groups Logon table modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Special Groups Logon table modified.

Message #

Special Groups Logon table modified.

Special Groups: %1

This event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.

Fields #

Name	Description
`Special_Groups`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4908,
    "version": 0,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-12T06:01:51.798027Z",
    "event_record_id": 16088364,
    "correlation": {},
    "execution": {
      "process_id": 528,
      "thread_id": 548
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SidList": "-"
  }
}

Community Notes #

Deleting privileged SIDs will prevent Event ID 4964 from firing. Also appears at every reboot, so IR can compare boot-time record against later changes.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4908
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx