Event ID 4750 - A security-disabled global group was changed
Log Sample
{
"EventTime": "2017/11/17 04:04:12"
"Hostname": "WIN-AE4MOB56I4P.changeme.com"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4750
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 13827
"OpcodeValue": 0
"RecordNumber": 1912984
"ProcessID": 776
"ThreadID": 2032
"Channel": "Security"
"Message": "A security-disabled global group was changed.
"Category": "Distribution Group Management"
"Opcode": "Info"
"TargetUserName": "sigsan_global"
"TargetDomainName": "changeme"
"TargetSid": "S-1-5-21-924791265-3775684568-2843720401-1111"
"SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"
"SubjectUserName": "Administrator"
"SubjectDomainName": "changeme"
"SubjectLogonId": "0x33903e"
"PrivilegeList": "-"
"SamAccountName": "-"
"SidHistory": "-"
"EventReceivedTime": "2017/11/17 04:04:12"
"SourceModuleName": "in"
"SourceModuleType": "im_msvistalog"
}
General Description
- This event generates every time security-disabled (distribution) global group is changed.
- This event generates only on domain controllers.
- From 4750 event you can get information about changes of sAMAccountName and sIDHistory attributes or you will see that something changed, but will not be able to see what exactly changed.
- If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, monitor events with the “Group\Group Name” values that correspond to the critical distribution groups.
- If you need to monitor each time a new distribution group is created, to see who created the group and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
- If your organization has naming conventions for account names, monitor “Attributes\SAM Account Name” for names that don’t comply with the naming conventions.
Detail Description
Subject:
- SubjectUserSID: SID of account that requested the “create Computer object” operation.
- SubjectUserName: the name of the account that requested the “create Computer object” operation.
- SubjectDomainName: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Group (Target):
- TargetSID: SID of created computer account.
- TargetUserName: the name of the computer account that was created. For example: WIN81$
- TargetDomainName: domain name of created computer account. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Attributes:
- SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
- SID History: contains previous SIDs used for the object if the object was moved from another domain.
Additional Information:
- Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
No comments:
Post a Comment