Windows Event ID 4733 — Member Removed from Local Security Group

MITRE ATT&CK

Why It Matters

Local group removals have two security angles. The disruptive angle: removing IT or monitoring accounts from local Administrators on servers they manage locks them out of those systems during incident response. The cleanup angle: an attacker who added themselves to local Administrators via 4732 may later remove themselves (4733) once they have established stealthier persistence — the 4732+4733 pair for an unknown account is the backdoor-created-then-hidden lifecycle. On domain controllers specifically, removals from local Administrators have domain-wide impact because DC local admin access enables AD object manipulation and LSASS access.

Key Fields

Investigation Tips

1. 1.4732 + 4733 lifecycle for an unknown account: search for a 4732 where the Member Account Name matches the 4733 removal. If an account was added then removed from local Administrators within days or weeks with no corresponding IT ticket, the add-use-remove lifecycle indicates a temporary backdoor that has been cleaned up. The window between add and remove is the exploitation window.
2. 2.Monitoring agent removals: if Event ID 4733 shows an EDR agent service account, AV engine account, or monitoring tool account removed from local Administrators or Performance Log Users, investigate immediately — this is defense evasion. The attacker is removing the tool's ability to operate with elevated rights on that machine.
3. 3.Cross-machine pattern: the same account removed from local Administrators on 3+ machines in a short window is systematic cleanup after lateral movement. Pair with 4732 history on those same machines to understand the full scope of access that was established and then removed.
4. 4.On domain controllers: any 4733 removing an account from local Administrators is elevated priority — DC local admin access enables DCSync-capable privilege and LSASS credential access. Removal from DC local Administrators may indicate the attacker is hiding their original access vector after establishing persistence via another mechanism.

Related Event IDs

Frequently Asked Questions

Is Event ID 4733 suspicious on its own?

Not necessarily — removing accounts from local groups is routine IT operations. The suspicious signals are: removal of monitoring agents or AV service accounts from Administrators (defense evasion), removal of IT accounts from local Administrators on servers during a security incident, a 4733 event that pairs with a preceding 4732 for the same account with no corresponding ticket (backdoor cleanup), or cross-machine removals of the same account in rapid succession. Evaluate the combination of target group, member account identity, and the subject performing the removal.

How do attackers use the 4732 + 4733 pattern to hide backdoor access?

An attacker who added a backdoor account to local Administrators (4732) for temporary access during their operation may remove it (4733) after achieving their objective. The goal is to ensure that a post-incident AD review of local group memberships does not show the backdoor account — by the time forensics runs, the account is not a member of any sensitive group. The 4732+4733 pair is still visible in event logs though, which is why correlating removals against their corresponding additions (using Member Account Name across both events) catches this cleanup. Alert when any account goes through the full add-then-remove cycle on Administrators group without a matching change ticket.

What is the difference between Event ID 4733 and Event ID 4729?

Event 4733 is removal from a local security group — machine-specific, affects only that one host. Event 4729 is removal from a global security group — domain-wide, affects all systems that honor that group's permissions. For incident response prioritization: 4729 removals from Domain Admins have immediate domain-wide impact and are higher urgency. 4733 removals from local Administrators are machine-specific but are more common in lateral movement cleanup since attackers often add local admin access on individual high-value servers. Monitor 4729 for global impact; monitor 4733 cross-machine patterns for lateral movement scope.