When is local group creation legitimate?

Legitimate local group creation primarily occurs during three scenarios: (1) OS installation, when Windows creates its built-in groups like Administrators, Users, Remote Desktop Users, and others; (2) software installation, when applications like SQL Server, IIS, or backup agents create their own local service groups (e.g., IIS_IUSRS, SQLServerMSSQLUser$); (3) IT provisioning scripts that create environment-specific groups as part of a documented server configuration standard. Outside these contexts — especially during normal business hours on a production server with no corresponding change ticket — a 4731 event is unusual. The key distinguishing factor is the Subject Account Name: SYSTEM or a documented provisioning account is expected; an interactive user account or an unexpected service account is not.

How do attackers use custom local groups for persistence?

Attackers use custom local groups as an indirection layer for persistence. Rather than directly adding their backdoor account to the local Administrators group (which would appear in a 4732 alert targeting the Administrators group specifically), they create a new local group with an innocuous service-like name, add their backdoor account to that new group, and then add the new group to Administrators. This means a defender monitoring for 4732 events targeting the Administrators group will see the new group being added — which looks like a legitimate software deployment — rather than an individual user account being added. The 4731 event for the group creation, combined with the 4732 events for the membership chain, is the complete visibility needed to detect this technique.

What is the difference between Event 4731 and Event 4727?

Event 4731 is the creation of a local security group, which is machine-specific and only affects the system where it was created. Event 4727 is the creation of a global security group in Active Directory, which replicates to all domain controllers and can affect permissions across the entire domain. For attack impact, a backdoor global group (4727) that is added to Domain Admins grants domain-wide access from a single AD object; a backdoor local group (4731) grants access only on the machine where it was created, but must be deployed on each target machine individually. For detection priority, 4727 is higher impact per event, but 4731 events appearing across multiple machines simultaneously indicate a broader lateral movement campaign. Both events should be in scope for security monitoring with alerting on creation by non-provisioning accounts.

Scan your Security and Sysmon logs·Detection guides

Event ID 4731Audit SuccessSecurityT1136

Windows Event ID 4731 — Security-Enabled Local Group Created

Logged when a new security-enabled local group is created on a Windows system. Local groups are machine-specific — unlike global groups, they do not replicate to other systems. Attackers create custom local groups to establish stealthy persistence on individual machines, often naming them to look like service or departmental groups, then adding their account to the new group before assigning it elevated privileges.

MITRE ATT&CK

Technique

T1136 · Create Account

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Local group creation is rare in stable environments — the vast majority of local groups are created during OS installation or software deployment, not during normal operations. Any new local group created outside a provisioning window is unusual and warrants review. The stealthy persistence angle is that a new group named SVC_Monitor or LocalBackup that includes the attacker's account and is assigned a privilege or added to Administrators is harder to detect than a direct addition to the Administrators group, because defenders typically audit group membership changes rather than group creation events.

Key Fields

Group NameThe name of the newly created local group. Service-like names (SVC_, Backup_, Monitor_) on newly created groups are suspicious — legitimate software deployments create well-known group names documented by their vendors, not custom names.

Subject Account NameThe account that created the local group. Legitimate local group creation is performed by SYSTEM during software installation or by IT provisioning accounts during OS setup. Creation by an interactive user account or unexpected service account is suspicious.

Subject Logon IDLinks to the creator's session via Event 4624 — correlate to identify the source IP and logon type. A Type 3 (network) logon creating a local group indicates remote lateral movement activity rather than local administration.

Investigation Tips

1.Local group creation on servers outside provisioning windows: most servers have a stable set of local groups established at deployment. Any 4731 event outside of documented deployment or patch windows should be reviewed — check the Software Installation or Change Management record for what was deployed at that time.
2.Correlate with 4732 immediately after: if a member is added to the new local group within minutes of creation (4732 where the group matches the 4731 group), the attacker is loading their backdoor group. Check who was added and whether the group is subsequently assigned any privileges or added to Administrators.
3.Cross-machine pattern detection: the same new group name appearing across multiple machines in a short window indicates automated lateral movement with local group backdoor deployment. An attacker using a script or C2 framework to deploy persistence will create identical groups on each compromised host — correlate 4731 events across hosts for matching Group Names.
4.Check for subsequent privilege assignment: after creating a local group, an attacker may use `net localgroup Administrators SVC_Monitor /add` (generating 4732 to add the backdoor group to Administrators) or assign User Rights via Group Policy or local security policy (generating 4717). Alerting on 4731 alone misses the impact — follow the event chain through 4732 and 4717.

Related Event IDs

4732Member added to local group — the follow-on event; attacker adds their account or backdoor group to the newly created local group

4733Member removed from local group — cleanup phase; group emptied before or after deletion

4734Local group deleted — attacker cleanup after using the backdoor group

4735Local group changed — group rename or description change to disguise the backdoor group

Frequently Asked Questions

When is local group creation legitimate?: Legitimate local group creation primarily occurs during three scenarios: (1) OS installation, when Windows creates its built-in groups like Administrators, Users, Remote Desktop Users, and others; (2) software installation, when applications like SQL Server, IIS, or backup agents create their own local service groups (e.g., IIS_IUSRS, SQLServerMSSQLUser$); (3) IT provisioning scripts that create environment-specific groups as part of a documented server configuration standard. Outside these contexts — especially during normal business hours on a production server with no corresponding change ticket — a 4731 event is unusual. The key distinguishing factor is the Subject Account Name: SYSTEM or a documented provisioning account is expected; an interactive user account or an unexpected service account is not.
How do attackers use custom local groups for persistence?: Attackers use custom local groups as an indirection layer for persistence. Rather than directly adding their backdoor account to the local Administrators group (which would appear in a 4732 alert targeting the Administrators group specifically), they create a new local group with an innocuous service-like name, add their backdoor account to that new group, and then add the new group to Administrators. This means a defender monitoring for 4732 events targeting the Administrators group will see the new group being added — which looks like a legitimate software deployment — rather than an individual user account being added. The 4731 event for the group creation, combined with the 4732 events for the membership chain, is the complete visibility needed to detect this technique.
What is the difference between Event 4731 and Event 4727?: Event 4731 is the creation of a local security group, which is machine-specific and only affects the system where it was created. Event 4727 is the creation of a global security group in Active Directory, which replicates to all domain controllers and can affect permissions across the entire domain. For attack impact, a backdoor global group (4727) that is added to Domain Admins grants domain-wide access from a single AD object; a backdoor local group (4731) grants access only on the machine where it was created, but must be deployed on each target machine individually. For detection priority, 4727 is higher impact per event, but 4731 events appearing across multiple machines simultaneously indicate a broader lateral movement campaign. Both events should be in scope for security monitoring with alerting on creation by non-provisioning accounts.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4731 →

See Event ID 4731 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects security-enabled local group created patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →