Group Change

Windows 10

Windows 7

Flynn Weeks

Flynn Weeks

April 21, 2022

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Group change can indicate unauthorized privilege escalation of a whole user group. This should be monitored so that user permissions are known and not over reaching. This log is recommended by the NSA Cyber Event Forwarding Guidance.

Compliance

Changes made to a security group are automatically logged and can be viewed in the security tab of the Event Viewer. To view these logs, sort or filter by event ID 4735.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4735'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4735)]]"

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4735'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"security group management"
Disable Logging
auditpol /set /subcategory:"security group management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"security group management" /Success:Enable /Failure:Enable
Language: Powershell
View Log Pile