4731 : A security-enabled local group was created
- Generates every time a security-enabled local group was created
- Event is stored on domain controllers, member servers or workstations
| 4731 | The computer attempted to validate the credentials for an account |
| Category | Group Management |
| Event Type | Success, Error |
| Provider | Microsoft-Windows-Security-Auditing |
| Channel | Security |
| Criticity | Low |
| Volumetry | Low |
| Reference | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4731 |
Monitoring Recommendations :
- Monitor this event to see who created the group and when
- Monitor for “Naming Conventions” compliance
Exemples of 4731 events
Get 4731 event details with PowerShell :
- Event 4731 Structure
| Displayed Value | XML Value | Comments |
|---|---|---|
| [New Group] Group Name | TargetUserName | Name of the created group. |
| [New Group] Group Domain | TargetDomainName | Domain or computer name of the created group. |
| [New Group] Security ID | TargetSid | SID of the created group. The SID is resolved when possible and if not, displayed in it’s original format. |
| [Subject] Security ID | SubjectUserSid | SID of account that created the group. The SID is resolved when possible and if not, displayed in it’s original format. |
| [Subject] Account Name | SubjectUserName | Name of the account that requested the “create group” operation. |
| [Subject] Account Domain | SubjectDomainName | Domain or computer name of the account that requested the “create group” operation. Formats may vary. |
| [Subject] Logon ID | SubjectLogonId | Value that can help to correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.” |
| [Additional Information] Privileges | PrivilegeList | List of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-” |
| [Attributes] SAM Account Name | SamAccountName | Pre-Windows 2000 logon name |
| [Attributes] SID History | SidHistory | Previous SIDs used for the object if the object was moved from another domain |
- Get XML template of the 4731 event
(Get-WinEvent -ListProvider Microsoft-Windows-Security-Auditing).Events | ? {$_.Id -eq '4731'}
- Powershell script to export in a CSV file all 4731 events
# Audit 4731 Events (a security-enabled local group was created)
# EventID_4731_LocalGroupCreated.ps1
# wiki.l0ran.xyz
# September 5th, 2024
# $Xpath24h = '*[System[(EventID=4731) and TimeCreated[timediff(@SystemTime) <= 86400000]]]'
$filterxpath = '*[System[EventID=4731]]'
# CSV Output folder
$CSVOutputFolder = 'C:\tmp'
# CSV Outfile
$CSVOutFile = "$CSVOutputFolder\EventID_4731_LocalGroupCreated.csv"
$dom = @()
$DCList = @()
$dom = (Get-ADDomainController).domain
$DCList = (Get-ADDomainController -filter * -server $dom).hostname
function get-4731
{param
([Object]
[Parameter(Mandatory=$true, ValueFromPipeline=$true, HelpMessage="Data to process")]
$InputObject
)
process
{$eventXml_4731 = ([xml]$InputObject.ToXml()).Event
[PSCustomObject]@{
Date = [DateTime]$eventXml_4731.System.TimeCreated.SystemTime
RecordID = $eventXml_4731.System.EventRecordID
Computer = $eventXml_4731.System.Computer
Provider = $eventXml_4731.System.Provider.Name
Level = $eventXml_4731.System.Level
EventID = $eventXml_4731.System.EventID
Keywords = $eventXml_4731.System.Keywords
TargetUserName = $eventXml_4731.EventData.data[0].'#text'
TargetDomainName = $eventXml_4731.EventData.data[1].'#text'
TargetSid = $eventXml_4731.EventData.data[2].'#text'
SubjectUserSid = $eventXml_4731.EventData.data[3].'#text'
SubjectUserName = $eventXml_4731.EventData.data[4].'#text'
SubjectDomainName = $eventXml_4731.EventData.data[5].'#text'
SubjectLogonId = $eventXml_4731.EventData.data[6].'#text'
PrivilegeList = $eventXml_4731.EventData.data[7].'#text'}}
}
foreach ($DC in $DCList)
{write-host "Working on $DC" -ForegroundColor Cyan
Get-WinEvent -Logname security -ComputerName $DC -FilterXPath $filterxpath -ea 0 |
get-4731 |
Export-Csv -Delimiter ';' -path $CSVOutFile -NoTypeInformation -Append}
# Remove duplicates records (if so)
$FilteredCSV = import-csv -Path $CSVOutFile -Delimiter ";"
$FilteredCSV = ((($FilteredCSV) | Sort-Object -Property RecordID -Unique) | Sort-Object -Descending -Property Date) |
Export-Csv -Delimiter ";" -path $CSVOutFile -NoTypeInformation