Event 4731: A security-enabled local group was created.
A security-enabled local group was created.
Technical Details
Event ID: 4731
Windows Security- Account Management
Event Description
A security-enabled local group was created.
Key Log Fields
TargetUserName- Name of the created local groupTargetDomainName- Domain or computer nameTargetSid- SID of the new groupSubjectUserName- Account that created the groupSubjectDomainName- Domain of the creating accountSubjectLogonId- Logon ID for correlation
MITRE ATT&CK® Mapping (2)
Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.