Windows Event ID 4749 – Microsoft-Windows-Security-Auditing: Security-Enabled Global Group Deleted

Start by examining the specific details of the 4749 event to understand what group was deleted and by whom.

1. Open Event Viewer on the domain controller where the event occurred
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4749 using the filter option
4. Double-click the event to view detailed information including:
   • Subject: Account that deleted the group
   • Target Account: Details of the deleted group
   • Additional Information: Privileges used and process information
5. Note the Logon ID to correlate with other security events
6. Check the Process Name field to identify the tool used for deletion

Use PowerShell to query multiple domain controllers for the same event:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4749} -ComputerName DC01,DC02,DC03 | Select-Object TimeCreated,MachineName,Message | Format-Table -AutoSize

Investigate the lifecycle of the deleted group by examining related audit events to understand the full context.

1. Search for Event ID 4727 (global group created) with the same group name or SID
2. Look for Event ID 4737 (global group changed) to see recent modifications
3. Check Event ID 4728/4729 for member additions/removals before deletion

Use PowerShell to build a timeline of group-related events:

# Search for all events related to a specific group SID
$GroupSID = "S-1-5-21-1234567890-1234567890-1234567890-1234"
$Events = @(4727,4728,4729,4737,4749)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$Events} | Where-Object {$_.Message -like "*$GroupSID*"} | Sort-Object TimeCreated | Select-Object TimeCreated,Id,Message

4. Examine the Process Name and Process ID fields across events to identify patterns
5. Check if the same account performed multiple group operations in sequence
6. Verify if the deletion was part of a planned maintenance window or unexpected

Investigate the account that performed the deletion to ensure it had legitimate reasons and proper authorization.

1. Identify the deleting account from the Subject section of the 4749 event
2. Check the account's group memberships and assigned privileges:

# Check group memberships for the account
$Username = "DOMAIN\AdminUser"
Get-ADUser -Identity $Username -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADGroup | Select-Object Name,GroupScope

3. Review recent logon events (4624) for the account to establish access patterns
4. Check for any privilege escalation events (4672) around the same timeframe
5. Examine the Logon Type and Authentication Package used
6. Verify if the account accessed the system from expected locations:

# Find recent logons for the account
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {$_.Message -like "*AdminUser*"} | Select-Object TimeCreated,@{Name='SourceIP';Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'}} | Sort-Object TimeCreated -Descending | Select-Object -First 10

Assess the impact of the group deletion and determine if recovery is necessary.

1. Check if the deleted group had any assigned permissions by searching Group Policy and file system ACLs
2. Use PowerShell to scan for orphaned SIDs in the environment:

# Search for orphaned SIDs in Group Policy
Get-GPO -All | ForEach-Object {
    $GPOReport = Get-GPOReport -Guid $_.Id -ReportType Xml
    if ($GPOReport -match "S-1-5-21-.*-.*-.*-.*") {
        Write-Output "Potential orphaned SID found in GPO: $($_.DisplayName)"
    }
}

3. Check the Active Directory Recycle Bin if enabled (Windows Server 2008 R2 and later):

# Check if AD Recycle Bin is enabled
Get-ADOptionalFeature -Filter 'Name -like "Recycle Bin Feature"'

# If enabled, search for the deleted group
Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "group"} -IncludeDeletedObjects | Where-Object {$_.Name -like "*DeletedGroupName*"}

4. If recovery is needed and Recycle Bin is enabled, restore the group:

# Restore deleted group (replace with actual distinguished name)
Restore-ADObject -Identity "CN=DeletedGroup\0ADEL:12345678-1234-1234-1234-123456789012,CN=Deleted Objects,DC=domain,DC=com"

5. Document the incident and implement additional monitoring if necessary

Set up enhanced monitoring and controls to prevent unauthorized group deletions in the future.

1. Configure Advanced Audit Policy to ensure comprehensive logging:

# Enable detailed account management auditing
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

2. Create a PowerShell monitoring script that alerts on group deletions:

# Monitor for Event ID 4749 and send alerts
Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = 4749" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    $Message = "ALERT: Security group deleted - Event ID 4749 detected on $($Event.ComputerName) at $($Event.TimeGenerated)"
    # Add your notification logic here (email, SIEM, etc.)
    Write-EventLog -LogName Application -Source "GroupDeletionMonitor" -EventId 1001 -Message $Message
}

3. Implement Administrative Units or Privileged Access Management (PAM) to control group management permissions
4. Configure Security Information and Event Management (SIEM) rules to correlate group deletion events with other suspicious activities
5. Set up regular reviews of critical security groups and their memberships
6. Consider implementing approval workflows for group deletions using tools like Microsoft Identity Manager or third-party solutions