4731 A security-enabled local group was created
Written when a security-enabled local group is created. It captures the creation of a group, the unit by which privileges are granted.
Overview
The subcategory is Audit Security Group Management. It is generated when a (security-enabled) local group usable for granting access rights is created. A group is the unit for granting privileges to members in bulk, so creating one signifies a change in the privilege design.
How it is triggered
- Local group creation via
net localgroup <name> /add, Computer Management,New-LocalGroup, and so on.
Security review points
- An attacker may create their own group to consolidate privileges and accounts in it, for later privilege management or masquerading. Confirm the creating subject and group name are as expected.
- Creating a group alone grants no privileges, but combine it with the following member addition (4732) and rights grants to that group (4704) to track a privilege-expansion sequence.
Notes for log review
- Local groups are also created during application installs and legitimate operations. Match against normal patterns of creating subject and group name.
- Creation of domain global/universal groups is a separate event (4727 / 4754, etc.). Do not confuse those with the local-group 4731.
Key fields
| Field | Meaning |
|---|---|
New Group\Group Name | The created group name |
Subject\Account Name | The subject that created the group |