Windows Event ID 4735 — Security-Enabled Local Group Changed

MITRE ATT&CK

Why It Matters

Group renames are an attacker technique for camouflaging backdoor membership. An attacker who adds their account to a sensitive local group (4732) may then rename that group to something that appears benign — 'BackupSvc', 'MonitorAgents', 'ITHelpers' — to make the membership appear routine in log reviews. Scope changes (converting a local group to a domain-local or universal group) can expand the blast radius of a compromised group membership beyond the original machine. 4735 is frequently overlooked in monitoring configurations, making it a low-visibility persistence technique.

Key Fields

Investigation Tips

1. 1.Group rename on a sensitive group: if a local Administrators or Backup Operators group is renamed, investigate immediately — attackers rename these to camouflage membership added via 4732. Cross-check the current group name against your baseline inventory.
2. 2.Correlate 4735 with preceding 4732 events for the same group — a membership addition (4732) followed by a group rename (4735) within a short window is the backdoor camouflage pattern. The attacker adds their account, then obscures the group's identity.
3. 3.Group type changes: converting a local group to a universal or domain-local group can expand which systems respect the group's membership. This is unusual for security groups on member servers and should correlate with a documented IT change.
4. 4.On domain controllers, group changes have domain-wide impact. 4735 events on DCs for groups outside of your expected change management windows are high priority.

Related Event IDs

Frequently Asked Questions

What is the difference between Event ID 4735 and Event ID 4732?

Event 4732 fires when an account is added to a local security group — it is a membership change. Event 4735 fires when the group itself is modified: its name, description, or type. In practice, an attacker uses both: 4732 to establish backdoor membership, then 4735 to rename the group and make the membership harder to detect in log reviews. Monitoring only 4732 (membership additions) misses the camouflage step — monitor 4735 alongside it, especially for group renames on Administrators, Backup Operators, and Remote Desktop Users.

Is a local security group rename always suspicious?

Not always — IT teams legitimately rename groups when responsibilities or naming conventions change. The suspicious patterns are: a rename immediately following a 4732 (membership addition) for the same group, a rename of a built-in sensitive group (Administrators, Backup Operators) rather than a custom group, a rename outside of a documented change window, or a rename by an account that is not a known IT admin. A custom group being renamed from 'ITHelpers' to 'BackupSvc' in isolation is low priority; the same rename immediately after a new account was added to it is high priority.

How do attackers use group renames to evade detection?

After adding a backdoor account to a sensitive local group via Event ID 4732, an attacker may rename the group (4735) to something that appears routine in AD group membership reports — names like 'MonitorAgents', 'SvcAccounts', or 'BackupOps' blend in with legitimate service groups. When a defender reviews the backdoor account's group memberships later, they see the renamed group name rather than 'Administrators' or 'Backup Operators', reducing the likelihood of immediate detection. The rename does not change the group's actual permissions — a renamed local Administrators group still grants full machine control.