Windows Event ID 4735 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Changed

Start by examining the specific details of Event ID 4735 to understand what changed and who initiated the modification.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter the log by clicking Filter Current Log in the Actions pane
4. Enter 4735 in the Event IDs field and click OK
5. Double-click on a recent Event ID 4735 entry to view detailed information
6. Review the following key fields in the event details:
   • Subject: Shows who made the change (Account Name and Account Domain)
   • Group: Displays the modified group name and SID
   • Changed Attributes: Lists specific modifications made to the group
   • Additional Information: Contains privileges used and process information
7. Cross-reference the timestamp with other security events to build a timeline of activities

Use PowerShell to efficiently query and analyze Event ID 4735 occurrences across multiple systems or time periods.

1. Open PowerShell as Administrator
2. Query recent Event ID 4735 entries with detailed information:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4735} -MaxEvents 50 | ForEach-Object {
       $xml = [xml]$_.ToXml()
       [PSCustomObject]@{
           TimeCreated = $_.TimeCreated
           SubjectUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
           SubjectDomainName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
           TargetUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
           TargetSid = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetSid'} | Select-Object -ExpandProperty '#text'
           GroupName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'GroupName'} | Select-Object -ExpandProperty '#text'
       }
   } | Format-Table -AutoSize

3. Filter events by specific time range to investigate incidents:

   $StartTime = (Get-Date).AddDays(-7)
   $EndTime = Get-Date
   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4735; StartTime=$StartTime; EndTime=$EndTime}

4. Export results to CSV for further analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4735} -MaxEvents 100 | Export-Csv -Path "C:\Temp\Event4735_Analysis.csv" -NoTypeInformation

5. Query multiple remote systems simultaneously:

   $Computers = @('Server01', 'Server02', 'Workstation01')
   Invoke-Command -ComputerName $Computers -ScriptBlock {
       Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4735} -MaxEvents 10
   } | Select-Object PSComputerName, TimeCreated, Id, LevelDisplayName, Message

Verify current local group configurations to understand the impact of detected changes and identify any unauthorized modifications.

1. List all local groups and their current memberships:

   Get-LocalGroup | ForEach-Object {
       $GroupName = $_.Name
       Write-Host "Group: $GroupName" -ForegroundColor Green
       try {
           Get-LocalGroupMember -Group $GroupName | Select-Object Name, ObjectClass, PrincipalSource | Format-Table
       } catch {
           Write-Host "  No members or access denied" -ForegroundColor Yellow
       }
       Write-Host ""
   }

2. Focus on privileged groups that commonly appear in security incidents:

   $PrivilegedGroups = @('Administrators', 'Remote Desktop Users', 'Backup Operators', 'Power Users')
   foreach ($Group in $PrivilegedGroups) {
       Write-Host "=== $Group ===" -ForegroundColor Cyan
       try {
           Get-LocalGroupMember -Group $Group | Select-Object Name, ObjectClass, PrincipalSource
       } catch {
           Write-Host "Group not found or access denied" -ForegroundColor Red
       }
   }

3. Compare current memberships with baseline configurations stored in documentation or previous exports
4. Check for recently added accounts that might indicate compromise:

   Get-LocalUser | Where-Object {$_.Enabled -eq $true -and $_.LastLogon -gt (Get-Date).AddDays(-30)} | Select-Object Name, LastLogon, PasswordLastSet

5. Verify group membership changes align with change management records or authorized administrative activities

Implement comprehensive audit policies to ensure proper logging of local group changes and related security events.

1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
2. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies
3. Configure the following audit subcategories for comprehensive group change monitoring:
   • Account Management → Audit Security Group Management: Set to Success and Failure
   • Account Management → Audit User Account Management: Set to Success and Failure
   • Privilege Use → Audit Sensitive Privilege Use: Set to Success and Failure
4. Verify current audit settings using PowerShell:

   auditpol /get /subcategory:"Security Group Management"
   auditpol /get /subcategory:"User Account Management"
   auditpol /get /subcategory:"Sensitive Privilege Use"

5. Configure audit settings via command line if Group Policy is not available:

   auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
   auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

6. Set up Security log retention and archiving to prevent audit data loss:
   • Open Event Viewer → Windows Logs → Security
   • Right-click Security and select Properties
   • Increase Maximum log size to at least 100 MB
   • Select Archive the log when full, do not overwrite events
7. Consider implementing Windows Event Forwarding (WEF) for centralized log collection in enterprise environments

Deploy automated monitoring solutions to detect and respond to unauthorized local group changes in real-time.

1. Create a PowerShell script for continuous monitoring of Event ID 4735:

   # Save as Monitor-LocalGroupChanges.ps1
   param(
       [int]$CheckIntervalMinutes = 5,
       [string]$AlertEmail = "security@company.com",
       [string]$SMTPServer = "mail.company.com"
   )
   
   $LastCheck = (Get-Date).AddMinutes(-$CheckIntervalMinutes)
   $Events = Get-WinEvent -FilterHashtable @{
       LogName='Security'
       Id=4735
       StartTime=$LastCheck
   } -ErrorAction SilentlyContinue
   
   if ($Events) {
       $AlertBody = "Detected $($Events.Count) local group changes:\n\n"
       foreach ($Event in $Events) {
           $xml = [xml]$Event.ToXml()
           $Subject = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
           $Group = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'GroupName'} | Select-Object -ExpandProperty '#text'
           $AlertBody += "Time: $($Event.TimeCreated)\nUser: $Subject\nGroup: $Group\n\n"
       }
       
       Send-MailMessage -To $AlertEmail -From "noreply@company.com" -Subject "Local Group Changes Detected" -Body $AlertBody -SmtpServer $SMTPServer
   }

2. Schedule the monitoring script using Task Scheduler:

   $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-LocalGroupChanges.ps1"
   $Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
   $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
   Register-ScheduledTask -TaskName "Monitor Local Group Changes" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

3. Configure Windows Event Forwarding for centralized monitoring:
   • On collector server, run: wecutil qc
   • Create subscription configuration file for Event ID 4735
   • Configure source computers to forward security events
4. Integrate with SIEM solutions by configuring log forwarding to tools like Splunk, QRadar, or Azure Sentinel
5. Set up correlation rules to detect patterns like multiple group changes from the same account or changes during off-hours
6. Implement automated response actions such as disabling accounts or triggering incident response workflows when suspicious patterns are detected