Windows Event ID 4732 – Microsoft-Windows-Security-Auditing: A Member Was Added to a Security-Enabled Local Group

Start by examining the specific event details to understand what happened:

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4732 by right-clicking the Security log and selecting Filter Current Log
4. Enter 4732 in the Event IDs field and click OK
5. Double-click the event to view detailed information including:
   • Subject: Who performed the action
   • Group: Which group was modified
   • Member: Which account was added
   • Process Information: What tool was used
6. Note the timestamp and correlate with other administrative activities
7. Check if the change was authorized by reviewing change management records

Use PowerShell to efficiently search and analyze Event ID 4732 occurrences:

1. Open PowerShell as Administrator
2. Query recent events with basic filtering:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

3. Search for specific group additions in the last 24 hours:

   $StartTime = (Get-Date).AddDays(-1)
   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732; StartTime=$StartTime} | ForEach-Object {
       $Event = [xml]$_.ToXml()
       [PSCustomObject]@{
           TimeCreated = $_.TimeCreated
           Subject = $Event.Event.EventData.Data[1].'#text'
           Group = $Event.Event.EventData.Data[5].'#text'
           Member = $Event.Event.EventData.Data[8].'#text'
       }
   }

4. Filter for high-privilege group additions:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732} | Where-Object {
       $_.Message -match "Administrators|Domain Admins|Enterprise Admins|Backup Operators"
   } | Select-Object TimeCreated, Message

5. Export results for further analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732} -MaxEvents 100 | Export-Csv -Path "C:\Temp\GroupAdditions.csv" -NoTypeInformation

Confirm the current state of group memberships to validate the changes:

1. Check local group membership using PowerShell:

   Get-LocalGroupMember -Group "Administrators" | Format-Table Name, ObjectClass, PrincipalSource

2. For domain environments, verify domain group membership:

   Get-ADGroupMember -Identity "Domain Admins" | Select-Object Name, SamAccountName, ObjectClass

3. List all local groups and their members:

   Get-LocalGroup | ForEach-Object {
       Write-Host "Group: $($_.Name)" -ForegroundColor Yellow
       Get-LocalGroupMember -Group $_.Name | Format-Table Name, ObjectClass -AutoSize
   }

4. Compare with baseline group membership if available
5. Use Computer Management console for GUI verification:
   • Open compmgmt.msc
   • Navigate to Local Users and Groups → Groups
   • Double-click the relevant group to view current members
6. Document any unauthorized additions for security review

Set up comprehensive monitoring for future group membership changes:

1. Enable detailed audit policy using Group Policy or local policy:

   auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

2. Configure audit policy through Group Policy Management:
   • Open gpmc.msc and edit the appropriate GPO
   • Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
   • Enable Audit Security Group Management for Success and Failure
3. Set up PowerShell monitoring script for real-time alerts:

   Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4732" -Action {
       $Event = $Event.SourceEventArgs.NewEvent
       Write-Host "Group membership change detected at $($Event.TimeGenerated)" -ForegroundColor Red
       # Add email notification or SIEM integration here
   }

4. Configure Windows Event Forwarding (WEF) for centralized logging:
   • Create custom views in Event Viewer for Event ID 4732
   • Set up subscriptions to forward events to central collector
5. Implement SIEM integration for automated alerting and correlation

Perform detailed forensic analysis when unauthorized group changes are suspected:

1. Collect comprehensive event data with timeline analysis:

   $StartTime = (Get-Date).AddDays(-7)
   $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732,4733,4728,4729; StartTime=$StartTime}
   $Events | Sort-Object TimeCreated | Export-Csv -Path "C:\Forensics\GroupChanges.csv" -NoTypeInformation

2. Correlate with logon events (4624, 4625) to identify the source:

   $LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$StartTime}
   # Cross-reference logon IDs with group change events

3. Examine process creation events (4688) for command-line details:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime} | Where-Object {
       $_.Message -match "net.exe|powershell.exe|Add-LocalGroupMember"
   }

4. Check registry changes related to group membership:
   • Review HKLM\SAM\SAM\Domains\Builtin\Aliases for local group modifications
   • Use tools like RegRipper for detailed registry analysis
5. Analyze network connections and file access patterns:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156} | Where-Object {
       $_.TimeCreated -gt $SuspiciousTime -and $_.TimeCreated -lt $SuspiciousTime.AddMinutes(10)
   }

6. Document findings and create incident response timeline
7. Implement remediation steps including password resets and privilege reviews