Group Created

Windows 10 Windows 7 Security Group Activity

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Groups allow for multiple user accounts to be managed as one and an attacker may try and create a group with escalated privileges.

View Logs

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4731'} -MaxEvents 1 | Format-List

Check Logging Status

auditpol /get /subcategory:"security group management"

Disable Logging

auditpol /set /subcategory:"security group management" /Success:Disable /Failure:Disable

Enable Logging

auditpol /set /subcategory:"security group management" /Success:Enable /Failure:Enable

Language: Powershell

Back to Windows

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

PCI DSS

Level: Recommended

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

Group Creation is logged automatically by Windows 10 Professional. To view, navigate to the Event Viewer and the security channel. To view the group creation log, sort or filter for the ID 4731.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4731'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4731)]]"

Additional References

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor