Event ID 4753 - A security-disabled global group was deleted

Event ID 4753 - A security-disabled global group was deleted

Log Sample

{

"EventTime": "2017/11/17 04:04:12"

 "Hostname": "WIN-AE4MOB56I4P.changeme.com"

 "Keywords": -9214364837600034816

 "EventType": "AUDIT_SUCCESS"

 "SeverityValue": 2

 "Severity": "INFO"

 "EventID": 4753

 "SourceName": "Microsoft-Windows-Security-Auditing"

 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"

 "Version": 0

 "Task": 13827

 "OpcodeValue": 0

 "RecordNumber": 2026256

 "ProcessID": 776

 "ThreadID": 5276

 "Channel": "Security"

 "Message": "A security-disabled global group was deleted."

 "Category": "Distribution Group Management"

 "Opcode": "Info"

 "TargetUserName": "ros_group"

 "TargetDomainName": "changeme"

 "TargetSid": "S-1-5-21-924791265-3775684568-2843720401-1112"

 "SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"

 "SubjectUserName": "Administrator"

 "SubjectDomainName": "changeme"

 "SubjectLogonId": "0x33903e"

 "PrivilegeList": "-"

 "EventReceivedTime": "2017/11/17 04:04:12"

 "SourceModuleName": "in"

 "SourceModuleType": "im_msvistalog"

}

General Description

• This event generates every time security-disabled (distribution) global group is deleted.
• This event generates only on domain controllers.

SIEM Security Monitoring

• If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “Group\Group Name” values that correspond to the critical distribution groups.
• If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.

Detail Description

Subject:

• SubjectUserSID: SID of account that requested the “create Computer object” operation. 
• SubjectUserName: the name of the account that requested the “create Computer object” operation.
• SubjectDomainName: subject’s domain name. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

• SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Group (Target):

• TargetSID: SID of created computer account.
• TargetUserName: the name of the computer account that was created. For example: WIN81$
• TargetDomainName: domain name of created computer account. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

Attributes:

• SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
• SID History: contains previous SIDs used for the object if the object was moved from another domain. 

Additional Information:

• Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.