Event 4754: A security-enabled universal group was created.
A security-enabled universal group was created.
Technical Details
Event ID: 4754
Windows Security- Account Management
Event Description
A security-enabled universal group was created.
Key Log Fields
TargetUserName- Name of the created universal groupTargetDomainName- Domain where group was createdTargetSid- SID of the new groupSubjectUserName- Account that created the groupSubjectDomainName- Domain of the creating accountSubjectLogonId- Logon ID for correlation
MITRE ATT&CK® Mapping (2)
Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.