A security-enabled universal group was changed
Properties of an AD Universal Security Group (`GroupType`, `SAM Account Name`) were altered.
Event ID 4755 logs when attributes of an Active Directory universal group are modified. Inspecting attribute modifications detects attempts to covertly convert distribution groups into security groups or rename forest-wide access groups.
Failure Reason / Root Cause:
Modification of AD universal security group attributes (`TargetUserName`).
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4755</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.902Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to A security-enabled universal group was changed -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1098 | Account Manipulation: Domain Groups | Persistence |
Recommended actions
- Audit changes to `GroupType` and `sAMAccountName` for universal groups.