4764 A group's type was changed
Written when a group’s type is changed. It captures conversion between distribution and security groups, letting you monitor changes in privilege-granting capability.
Overview
The subcategory is Audit Security Group Management. It is generated when a group’s type (security/distribution, and scope) is changed. It occurs for both security and distribution groups.
How it is triggered
- Conversion from a distribution group to a security group, or vice versa.
- A change to the group scope (domain local / global / universal).
Security review points
- Conversion from distribution to security group is notable. A distribution group cannot grant access, but once changed to a security group it can be used to grant privileges. An evasive technique is possible where an attacker accumulates members in a lightly-monitored distribution group and later converts it to a security group to grant privileges all at once.
- Track what follows, such as whether rights are then granted to that group (4704) or it gets nested into a privileged group.
Notes for log review
- A type change is a rare operation. Confirm conversions in the “distribution to security” direction at high priority in particular.
- Evaluate the group’s current members together with the privileges obtainable after conversion.
Key fields
| Field | Meaning |
|---|---|
Group\Group Name | The group whose type was changed |
Subject\Account Name | The subject that made the change |