4964 Special groups have been assigned to a new logon
Written when a member of a designated “Special Group” logs on. It is a targeted detection event that surfaces logons by high-value accounts.
Overview
The subcategory is Audit Special Logon. It is generated when a member of a group designated in Special Groups auditing (e.g. Domain Admins, a sensitive service group) logs on. The monitored groups are managed in the 4908 table.
How it is triggered
- When a member of a group registered as a special group logs on to any host.
- It appears in the same session as 4624 (successful logon) to indicate special-group membership.
Security review points
- It reliably picks high-value account (administrator, etc.) logons out of the large volume of normal logons. Check which special group’s member logged on, when, and to which machine.
- If an administrator-level account logs on to an unexpected machine or at an unexpected time, suspect credential abuse or lateral movement. Operate it together with changes to the special-groups table itself 4908.
Notes for log review
- It only appears once Special Groups auditing is configured. Register the high-value groups you want to monitor (Domain Admins, Enterprise Admins, etc.) in advance.
- Correlate with logon 4624 and privilege assignment 4672 to build the full picture of privileged logons. Note administrator logons to servers that are not normally logged on to in particular.
Key fields
| Field | Meaning |
|---|---|
New Logon\Account Name | The account that logged on |
Special Groups | The SIDs of the matched special groups |
Logon ID | The key for matching with 4624 |
Glossary
- Special Groups Auditing — a mechanism that specially records logons of members of designated groups. Used to monitor high-value accounts such as administrators.