4908 Special Groups Logon table modified
Written when the Special Groups logon table is modified. It captures changes to the setting that specially monitors logons of specific groups.
Overview
The subcategory is Audit Policy Change. It is generated when the target group list (table) for Special Groups auditing (a mechanism that specially records, via 4964, when members of designated groups log on) is changed.
How it is triggered
- When the special-groups watch list is changed via the registry and the like.
Security review points
- Special Groups auditing is an important detection setting that surfaces logons of sensitive groups (administrators, etc.). If an attacker removes a monitored group from this table, that group’s logons are no longer specially recorded (defense evasion). Check the change to the table.
- Investigate whether an important group was removed from the watch list, or whether the change was unexpected. Operate it together with special-group logon 4964.
Notes for log review
- It is a rare change. Confirm changes that reduce monitored targets at high priority.
- Record the table contents after the change (which groups are monitored) and the acting subject.
Key fields
| Field | Meaning |
|---|---|
| Post-change special-groups list | The monitored group SIDs |
Subject\Account Name | The subject that made the change |