4727 : A security-enabled global group was created
- Generates each time a security-enabled global group is created (generates only for domain groups)
| 4727 | A security-enabled global group was created |
| Category | Security Group Management |
| Event Type | Success |
| Provider | Microsoft-Windows-Security-Auditing |
| Channel | Security |
| Criticity | Low |
| Volumetry | Low |
| Reference | See Event 4731 (same event structure for all groups) |
Monitoring Recommendations :
- Check who are creating groups over the domain
- Ensure new created groups are respecting naming conventions
Exemples of 4727 events
Get event details with PowerShell :
- Event Structure
| Displayed Value | XML Value | Comments |
|---|---|---|
| [New Group] Group Name | TargetUserName | Name of the created group. |
| [New Group] Group Domain | TargetDomainName | Domain or computer name of the created group. |
| [New Group] Security ID | TargetSid | SID of the created group. The SID is resolved when possible and if not, displayed in it’s original format. |
| [Subject] Security ID | SubjectUserSid | SID of account that created the group. The SID is resolved when possible and if not, displayed in it’s original format. |
| [Subject] Account Name | SubjectUserName | Name of the account that requested the “create group” operation. |
| [Subject] Account Domain | SubjectDomainName | Domain or computer name of the account that requested the “create group” operation. Formats may vary. |
| [Subject] Logon ID | SubjectLogonId | Value that can help to correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.” |
| [Additional Information] Privileges | PrivilegeList | List of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-” |
| [Attributes] SAM Account Name | SamAccountName | Pre-Windows 2000 logon name |
| [Attributes] SID History | SidHistory | Previous SIDs used for the object if the object was moved from another domain |
- Get XML template of the event
PS C:\Users\Administrator> (Get-WinEvent -ListProvider Microsoft-Windows-Security-Auditing).Events | ? {$_.Id -eq '4727'}
- Powershell script to retreive in a CSV file all logged Events ID 4727 for the current domain.
# Audit 4727 Events (A security-enabled global group was created) & export events information to CSV table
# EventID_4727_SecurityGlobalGroupWasCreated.ps1
# wiki.l0ran.xyz
# August 30th, 2024
# $Xpath24h = '*[System[(EventID=4727) and TimeCreated[timediff(@SystemTime) <= 86400000]]]'
$filterxpath = '*[System[EventID=4727]]'
# CSV Output folder
$CSVOutputFolder = 'C:\tmp'
# CSV Outfile
$CSVOutFile = "$CSVOutputFolder\EventID_4727_UserAccountWasDeleted.csv"
$dom = @()
$DCList = @()
$dom = (Get-ADDomainController).domain
$DCList = (Get-ADDomainController -filter * -server $dom).hostname
function Get-4727
{param
([Parameter(Mandatory=$true, ValueFromPipeline=$true, HelpMessage="Data to process")]
$InputObject)
process
{$eventXml4727 = ([xml]$InputObject.ToXml()).Event
[PSCustomObject]@{
Date = [DateTime]$eventXml4727.System.TimeCreated.SystemTime
RecordID = $eventXml4727.System.EventRecordID
Computer = $eventXml4727.System.Computer
Provider = $eventXml4727.System.Provider.Name
Level = $eventXml4727.System.Level
EventID = $eventXml4727.System.Eventid
ExecutionProcessID = $eventXml4727.System.Execution.ProcessID
ThreadID = $eventXml4727.System.Execution.ThreadID
TargetUserName = $eventXml4727.EventData.data[0].'#text'
TargetDomainName = $eventXml4727.EventData.data[1].'#text'
TargetSid = $eventXml4727.EventData.data[2].'#text'
SubjectUserSid = $eventXml4727.EventData.data[3].'#text'
SubjectUserName = $eventXml4727.EventData.data[4].'#text'
SubjectDomainName = $eventXml4727.EventData.data[5].'#text'
SubjectLogonId = $eventXml4727.EventData.data[6].'#text'
PrivilegeList = $eventXml4727.EventData.data[7].'#text'
SamAccountName = $eventXml4727.EventData.data[8].'#text'
SidHistory = $eventXml4727.EventData.data[9].'#text' }}
} # End function get-4727
foreach ($DC in $DCList)
{write-host "Working on $DC" -ForegroundColor Cyan
Get-WinEvent -Logname security -ComputerName $DC -FilterXPath $filterxpath -ea 0 |
get-4727 |
Export-Csv -Delimiter ';' -path $CSVOutFile -NoTypeInformation -Append}