Member Removed from Group

Windows 10

Windows 7

Flynn Weeks

Flynn Weeks

April 21, 2022

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Group membership change can indicate a user removing themselves from an admin group in an effort to clean up after an attack. It is important to monitor the groups that have escalated permissions.

Windows 10 Professional logs group membership changes by default. To view this log, navigate to the Event Viewer security tab. To view the log of a member being removed from a group, sort or filter by the IDs 4733.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4733'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4733)]]"

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4733'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"security group management"
Disable Logging
auditpol /set /subcategory:"security group management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"security group management" /Success:Enable /Failure:Enable
Language: Powershell
View Log Pile