4734 A security-enabled local group was deleted
Written when a security-enabled local group is deleted. It captures a change to the group-based privilege design.
Overview
The subcategory is Audit Security Group Management. It is generated when a local group is deleted. Paired with creation 4731, it tracks the group’s lifecycle.
How it is triggered
- Group deletion via
net localgroup <name> /delete,Remove-LocalGroup, and so on.
Security review points
- Deleting a group used for granting privileges signifies a change in access-control configuration. Deletion of a legitimate group leads to loss of associated privileges and access, so confirm it.
- An attacker may delete a group they created temporarily (4731) as cleanup. Cross-reference with the creation and member-addition 4732 history.
Notes for log review
- It also occurs during legitimate cleanup and uninstalls. Match against normal patterns of the deleted group and acting subject.
- Since deletion loses member information, reconstruct what the group was by combining with pre-deletion member add/remove logs.
Key fields
| Field | Meaning |
|---|---|
Group\Group Name | The deleted group |
Subject\Account Name | The subject that performed the deletion |