🤔 How Do I Find Malicious or Compromised Accounts?

Windows

Event logs

It starts with the event 4720 (account created) and multiple 4732 events (member added to some security-enabled group). This account must be enabled (4722) before it can be used. You might see 4738 (account was changed) or even 4724 (password reset attempt).

✍🏻 4728 - member was added to a security-enabled global group.

✍🏻 4732 - member was added to a security-enabled local group.

✍🏻 4756 - member was added to a security-enabled universal group.

References