Windows Event ID 4751 – Security: Computer Account Added to Security-Enabled Global Group

Start by examining the specific details of Event ID 4751 to understand what change occurred and who initiated it.

1. Open Event Viewer on the domain controller where the event was logged
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4751 or search for recent occurrences
4. Double-click the event to view detailed information including:
   • Subject: User account that made the change
   • Member: Computer account that was added
   • Group: Target security group
   • Caller Process Name: Application that initiated the change
5. Note the timestamp and correlate with any scheduled maintenance or known administrative activities

Use PowerShell to efficiently search and analyze Event ID 4751 occurrences across your domain controllers.

1. Open PowerShell as Administrator on a domain controller or management workstation
2. Query recent Event ID 4751 entries:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4751} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message

3. For more detailed analysis, extract specific fields:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4751} -MaxEvents 20 | ForEach-Object {
       $xml = [xml]$_.ToXml()
       [PSCustomObject]@{
           TimeCreated = $_.TimeCreated
           SubjectUserName = $xml.Event.EventData.Data[1].'#text'
           MemberName = $xml.Event.EventData.Data[6].'#text'
           GroupName = $xml.Event.EventData.Data[8].'#text'
           CallerProcessName = $xml.Event.EventData.Data[11].'#text'
       }
   }

4. Query events from multiple domain controllers:

   $DCs = Get-ADDomainController -Filter *
   foreach ($DC in $DCs) {
       Write-Host "Checking $($DC.Name)..."
       Invoke-Command -ComputerName $DC.Name -ScriptBlock {
           Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4751} -MaxEvents 10 -ErrorAction SilentlyContinue
       }
   }

Confirm the actual group membership changes and validate whether they were authorized.

1. Open Active Directory Users and Computers (dsa.msc)
2. Locate the computer account mentioned in the event:
   • Navigate to the appropriate OU or use the search function
   • Right-click the computer account and select Properties
   • Click the Member Of tab to view current group memberships
3. Verify the group mentioned in the event is now listed in the computer's memberships
4. Check the group's properties to see when the computer was added:
   • Navigate to the security group mentioned in the event
   • Right-click and select Properties
   • Click the Members tab to confirm the computer account is present
5. Use PowerShell to get detailed membership information:

   Get-ADComputer "ComputerName" -Properties MemberOf | Select-Object Name, @{Name="Groups";Expression={$_.MemberOf -replace '^CN=([^,]+),.*','$1'}}

Perform deeper forensic analysis by correlating Event ID 4751 with related security events.

1. Enable advanced auditing if not already configured:

   auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

2. Search for related events that occurred around the same time:

   $StartTime = (Get-Date).AddHours(-2)
   $EndTime = Get-Date
   Get-WinEvent -FilterHashtable @{
       LogName='Security'
       Id=4624,4625,4648,4672,4751,4752,4756,4757
       StartTime=$StartTime
       EndTime=$EndTime
   } | Sort-Object TimeCreated

3. Check for logon events (4624) from the subject user around the time of the group change
4. Look for privilege use events (4672) that might indicate elevated permissions were used
5. Review any failed attempts (4625) that might indicate unauthorized access attempts
6. Export findings for further analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4751} -MaxEvents 100 | Export-Csv -Path "C:\Temp\Event4751_Analysis.csv" -NoTypeInformation

Set up proactive monitoring to detect and alert on future Event ID 4751 occurrences, especially for sensitive groups.

1. Create a scheduled task to monitor for Event ID 4751:

   $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-Event4751.ps1"
   $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365)
   $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
   Register-ScheduledTask -TaskName "Monitor-Event4751" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

2. Create the monitoring script (C:\Scripts\Monitor-Event4751.ps1):

   # Monitor-Event4751.ps1
   $LastCheck = (Get-Date).AddMinutes(-15)
   $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4751; StartTime=$LastCheck} -ErrorAction SilentlyContinue
   
   if ($Events) {
       foreach ($Event in $Events) {
           $xml = [xml]$Event.ToXml()
           $GroupName = $xml.Event.EventData.Data[8].'#text'
           $ComputerName = $xml.Event.EventData.Data[6].'#text'
           
           # Alert for sensitive groups
           $SensitiveGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins")
           if ($GroupName -in $SensitiveGroups) {
               Send-MailMessage -To "admin@company.com" -From "security@company.com" -Subject "ALERT: Computer added to privileged group" -Body "Computer $ComputerName was added to $GroupName at $($Event.TimeCreated)" -SmtpServer "mail.company.com"
           }
       }
   }

3. Configure Windows Event Forwarding (WEF) to centralize Event ID 4751 from all domain controllers
4. Set up SIEM integration to correlate Event ID 4751 with other security events