Windows SecurityAccount Management

Event 4731: A security-enabled local group was created.

A security-enabled local group was created.

Technical Details

Windows Security Source

Event ID: 4731

Windows Security- Account Management

Event Description

A security-enabled local group was created.

Key Log Fields

  • TargetUserName - Name of the created local group
  • TargetDomainName - Domain or computer name
  • TargetSid - SID of the new group
  • SubjectUserName - Account that created the group
  • SubjectDomainName - Domain of the creating account
  • SubjectLogonId - Logon ID for correlation

MITRE ATT&CK® Mapping (2)

T1136persistence
Create Account

Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

T1136.001persistence
Local Account

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Contents