Member Added to Group

Windows 10 Windows 7 Security Group Activity

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Group membership change can indicate a user adding themselves to an admin group without permissions. It is important to monitor the groups that have escalated permissions. This log is recommended by the NSA Cyber Event Forwarding Guidance.

View Logs

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4732'} -MaxEvents 1 | Format-List

Check Logging Status

auditpol /get /subcategory:"security group management"

Disable Logging

auditpol /set /subcategory:"security group management" /Success:Disable /Failure:Disable

Enable Logging

auditpol /set /subcategory:"security group management" /Success:Enable /Failure:Enable

Language: Powershell

Back to Windows

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

Windows 10 Professional logs group membership changes by default. To view this log, navigate to the Event Viewer security tab. To view the group membership change logs, sort or filter by the IDs 4732. Event ID 4732 is a log of a user being added to a security group.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4732'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4732)]]"

Additional References

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor