Event ID 4749 - A security-disabled global group was created

Event ID 4749 - A security-disabled global group was created

Log Sample

{

 "EventTime": "2017/11/17 04:04:12"

 "Hostname": "WIN-AE4MOB56I4P.changeme.com"

 "Keywords": -9214364837600034816

 "EventType": "AUDIT_SUCCESS"

 "SeverityValue": 2

 "Severity": "INFO"

 "EventID": 4749

 "SourceName": "Microsoft-Windows-Security-Auditing"

 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"

 "Version": 0

 "Task": 13827

 "OpcodeValue": 0

 "RecordNumber": 2034819

 "ProcessID": 776

 "ThreadID": 2032

 "Channel": "Security"

 "Message": "A security-disabled global group was created.

 "Category": "Distribution Group Management"

 "Opcode": "Info"

 "TargetUserName": "sig_group"

 "TargetDomainName": "changeme"

 "TargetSid": "S-1-5-21-924791265-3775684568-2843720401-1113"

 "SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"

 "SubjectUserName": "Administrator"

 "SubjectDomainName": "changeme"

 "SubjectLogonId": "0x33903e"

 "PrivilegeList": "-"

 "SamAccountName": "sig_group"

 "SidHistory": "-"

 "EventReceivedTime": "2017/11/17 04:04:12"

 "SourceModuleName": "in"

 "SourceModuleType": "im_msvistalog"

}

General Description

• This event generates every time a new security-disabled (distribution) global group was created.
• This event generates only on domain controllers.

SIEM: Security Consideration

• If you need to monitor each time a new distribution group is created, to see who created the group and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
• If your organization has naming conventions for account names, monitor “Attributes\SAM Account Name” for names that don’t comply with the naming conventions.

Detail Description

Subject:

• SubjectUserSID: SID of account that requested the “create Computer object” operation. 
• SubjectUserName: the name of the account that requested the “create Computer object” operation.
• SubjectDomainName: subject’s domain name. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

• SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

New Group (Target):

• TargetSID: SID of created computer account.
• TargetUserName: the name of the computer account that was created. For example: WIN81$
• TargetDomainName: domain name of created computer account. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

Attributes:

• SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
• SID History: contains previous SIDs used for the object if the object was moved from another domain. 

Additional Information:

• Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.