T1098.007 Additional Local or Domain Groups Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SensitiveGroups = dynamic([
  "Administrators", "Domain Admins", "Enterprise Admins",
  "Schema Admins", "Group Policy Creator Owners",
  "Remote Desktop Users", "Remote Management Users",
  "Network Configuration Operators", "Backup Operators",
  "Account Operators", "Server Operators",
  "DnsAdmins", "DHCP Administrators",
  "Exchange Windows Permissions", "Exchange Trusted Subsystem",
  "sudoers", "wheel", "admin"
]);
let GroupAddEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4728, 4732, 4746, 4751, 4756, 4761, 4746)
  // 4728 = member added to global security group
  // 4732 = member added to local security group
  // 4746 = member added to distribution group (local)
  // 4751 = member added to universal distribution group
  // 4756 = member added to universal security group
  // 4761 = member added to local distribution group
| extend AddedAccount = tostring(EventData.MemberName)
| extend GroupName = tostring(EventData.GroupName)
| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), "\\", tostring(EventData.SubjectUserName))
| extend TargetSid = tostring(EventData.MemberSid)
| project TimeGenerated, EventID, Computer, GroupName, AddedAccount, SubjectAccount, TargetSid, Activity;
let NetCmdGroupAdd = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has_any ("localgroup", "group")
  and ProcessCommandLine has "/add"
| extend GroupOperation = extract(@"(localgroup|group)\s+[""']?([^""'/\s]+)[""']?", 2, ProcessCommandLine)
| project
    TimeGenerated = Timestamp,
    DeviceName,
    AccountName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    GroupOperation;
GroupAddEvents
| union (
    NetCmdGroupAdd
    | project TimeGenerated, Computer = DeviceName, GroupName = GroupOperation,
              AddedAccount = "", SubjectAccount = AccountName,
              ProcessCommandLine, InitiatingProcessFileName
)
| where GroupName has_any (SensitiveGroups)
   or isnotempty(GroupName)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Windows Security Event Log Process: Process Creation Active Directory: Active Directory Object Modification Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

IT administrators legitimately adding helpdesk or IT staff to Remote Desktop Users for support purposes
Automated onboarding scripts that add new employees to standard role-based groups during provisioning
Software deployment or patch management services (SCCM, Intune) adding service accounts to local admin groups on managed endpoints
Domain controller domain join operations that add machine accounts to specific groups automatically
Third-party backup software installers that add their service accounts to Backup Operators group

Splunk

spl

index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
(
  (EventCode IN (4728, 4732, 4756, 4761, 4751, 4746))
  OR
  (EventCode=1 (Image="*\\net.exe" OR Image="*\\net1.exe") (CommandLine="*localgroup*" OR CommandLine="*group*") CommandLine="*/add*")
)
| eval GroupName=coalesce('TargetUserName', 'GroupName')
| eval AddedMember=coalesce('MemberName', 'MemberSid')
| eval ActingAccount=coalesce('SubjectUserName', 'User')
| eval CommandLineUsed=coalesce(CommandLine, "N/A")
| eval SensitiveGroup=case(
    match(lower(GroupName), "administrators|domain admins|enterprise admins|schema admins|group policy creator owners"), "Critical",
    match(lower(GroupName), "remote desktop users|remote management users|backup operators|account operators|server operators"), "High",
    match(lower(GroupName), "dnsadmins|dhcp administrators|exchange windows permissions|exchange trusted subsystem"), "High",
    match(lower(GroupName), "network configuration operators|print operators|cryptographic operators"), "Medium",
    true(), "Low"
  )
| where SensitiveGroup != "Low" OR (EventCode=1 AND match(lower(CommandLineUsed), "/add"))
| eval RiskScore=case(
    SensitiveGroup="Critical", 90,
    SensitiveGroup="High", 70,
    SensitiveGroup="Medium", 50,
    true(), 30
  )
| table _time, host, EventCode, GroupName, AddedMember, ActingAccount, CommandLineUsed, SensitiveGroup, RiskScore
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Windows Security Event Log Process: Process Creation Sysmon Event ID 1 Active Directory Audit Logs

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators legitimately adding helpdesk or IT staff to Remote Desktop Users for support purposes
Automated onboarding scripts that add new employees to standard role-based groups during provisioning
Software deployment or patch management services (SCCM, Intune) adding service accounts to local admin groups on managed endpoints
Domain controller domain join operations that add machine accounts to specific groups automatically
Third-party backup software installers that add their service accounts to Backup Operators group

Elastic Security (EQL)

eql

any where
(
  (
    event.code in ("4728", "4732", "4756", "4761", "4751", "4746") and
    event.provider == "Microsoft-Windows-Security-Auditing" and
    winlog.event_data.TargetUserName in~ (
      "Administrators", "Domain Admins", "Enterprise Admins", "Schema Admins",
      "Group Policy Creator Owners", "Remote Desktop Users", "Remote Management Users",
      "Network Configuration Operators", "Backup Operators", "Account Operators",
      "Server Operators", "DnsAdmins", "DHCP Administrators",
      "Exchange Windows Permissions", "Exchange Trusted Subsystem"
    )
  )
  or
  (
    event.category == "process" and
    event.type == "start" and
    process.name in~ ("net.exe", "net1.exe") and
    process.args : ("localgroup", "group") and
    process.args : "/add"
  )
)

high severity high confidence

Data Sources

Windows Security Event Log Sysmon Elastic Endpoint Security Agent

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-system.security-*

False Positives

IT administrators adding new employees to standard access groups during onboarding workflows via standard provisioning procedures
Automated AD provisioning tools such as SailPoint, Saviynt, or SCCM that legitimately modify group membership during role assignments
Help desk personnel running net.exe commands to restore user access following account lockouts or permission reset requests

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  username AS ActingAccount,
  "MemberName" AS AddedMember,
  "GroupName" AS TargetGroup,
  sourceip AS SourceIP,
  "AccountDomain" AS Domain
FROM events
WHERE
  LOGSOURCESTARTTIME(starttime) > NOW() - 86400000
  AND (
    (
      EventID IN (4728, 4732, 4756, 4761, 4751, 4746)
      AND LOWER("GroupName") IN (
        'administrators', 'domain admins', 'enterprise admins', 'schema admins',
        'group policy creator owners', 'remote desktop users', 'remote management users',
        'network configuration operators', 'backup operators', 'account operators',
        'server operators', 'dnsadmins', 'dhcp administrators',
        'exchange windows permissions', 'exchange trusted subsystem'
      )
    )
    OR (
      EventID = 1
      AND (
        LOWER("Image") LIKE '%\net.exe'
        OR LOWER("Image") LIKE '%\net1.exe'
      )
      AND LOWER("CommandLine") LIKE '%/add%'
      AND (
        LOWER("CommandLine") LIKE '%localgroup%'
        OR LOWER("CommandLine") LIKE '% group %'
      )
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

Windows Security Event Log DSM Microsoft Sysmon DSM

Required Tables

events

False Positives

IT provisioning systems performing automated group membership assignments during employee onboarding or offboarding cycles
Domain administrators running scheduled PowerShell or batch scripts that update group memberships for role-based access control across departments
Group Policy-driven group membership changes applied by the domain controller that trigger these events simultaneously across multiple endpoints

Sumo Logic CSE

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*")
| parse regex "\bEventID[\s=:]+(?P<EventID>\d{4})" nodrop
| parse regex "TargetUserName\s*=\s*(?P<TargetUserName>[^\s,\r\n]+)" nodrop
| parse regex "MemberName\s*=\s*(?P<MemberName>[^\s,\r\n]+)" nodrop
| parse regex "SubjectUserName\s*=\s*(?P<SubjectUserName>[^\s,\r\n]+)" nodrop
| parse regex "CommandLine\s*=\s*(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?:^|\s)Image\s*=\s*(?P<Image>[^\r\n]+)" nodrop
| where (
    EventID in ("4728","4732","4756","4761","4751","4746")
    and toLowerCase(TargetUserName) in (
      "administrators","domain admins","enterprise admins","schema admins",
      "group policy creator owners","remote desktop users","remote management users",
      "network configuration operators","backup operators","account operators",
      "server operators","dnsadmins","dhcp administrators",
      "exchange windows permissions","exchange trusted subsystem"
    )
  )
  or (
    EventID = "1"
    and (toLowerCase(Image) contains "net.exe" or toLowerCase(Image) contains "net1.exe")
    and toLowerCase(CommandLine) contains "/add"
    and (
      toLowerCase(CommandLine) contains "localgroup"
      or toLowerCase(CommandLine) contains " group "
    )
  )
| eval SensitiveGroup = if(
    toLowerCase(TargetUserName) in ("administrators","domain admins","enterprise admins","schema admins"),
    "Critical",
    if(
      toLowerCase(TargetUserName) in ("remote desktop users","backup operators","account operators","server operators","remote management users"),
      "High",
      "Medium"
    )
  )
| table _messageTime, _sourceHost, EventID, TargetUserName, MemberName, SubjectUserName, CommandLine, SensitiveGroup
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Security Event Log via Sumo Logic installed collector Sysmon operational log via Sumo Logic installed collector

Required Tables

Sumo Logic partitions indexed from Windows and Sysmon _sourceCategory paths

False Positives

Scheduled IT provisioning tasks adding service accounts or new employees to required security groups during onboarding automation pipelines
Active Directory domain join operations that automatically place machine accounts into domain groups as part of the computer account provisioning process
Security team performing authorized red team exercises or penetration testing that includes group membership modification as part of the engagement scope

Google Chronicle / SecOps

yaral

rule t1098_007_sensitive_group_membership_addition {
  meta:
    author = "Detection Engineering"
    description = "Detects accounts added to sensitive local or domain groups via Windows group change events or net.exe command execution (T1098.007)"
    severity = "HIGH"
    mitre_attack_technique = "T1098.007"
    mitre_attack_tactic = "Persistence"
    reference = "https://attack.mitre.org/techniques/T1098/007/"

  events:
    (
      $e.metadata.event_type = "USER_GROUP_MEMBERSHIP_ADD" and
      re.regex($e.target.group.group_display_name,
        `(?i)^(administrators|domain admins|enterprise admins|schema admins|group policy creator owners|remote desktop users|remote management users|network configuration operators|backup operators|account operators|server operators|dnsadmins|dhcp administrators|exchange windows permissions|exchange trusted subsystem|sudoers|wheel|admin)$`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i)\\net1?\.exe$`) and
      re.regex($e.target.process.command_line, `(?i)(localgroup|group).+/add`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Security Event Log via Chronicle forwarder Sysmon via Chronicle forwarder CrowdStrike Falcon via Chronicle integration Carbon Black via Chronicle integration

Required Tables

UDM normalized events with event_type USER_GROUP_MEMBERSHIP_ADD UDM normalized events with event_type PROCESS_LAUNCH

False Positives

Identity governance platforms such as CyberArk, SailPoint, or BeyondTrust performing automated privileged access lifecycle operations and group assignments
IT operations teams running net.exe commands during bulk user provisioning or deprovisioning following HR system change requests or role transitions
Azure AD Connect or on-premises AD synchronization services that periodically reconcile group memberships between on-premises and cloud directories

CrowdStrike LogScale (CQL)

cql

(
  #event_simpleName = /^UserAccountAddedToGroup/
  | GroupName = /(?i)(administrators|domain admins|enterprise admins|schema admins|group policy creator owners|remote desktop users|remote management users|network configuration operators|backup operators|account operators|server operators|dnsadmins|dhcp administrators|exchange windows permissions|exchange trusted subsystem|sudoers|wheel|admin)/
)
| union {
  #event_simpleName = ProcessRollup2
  | FileName = /^net1?\.exe$/i
  | CommandLine = /(?i)(localgroup|\bgroup\b).+\/add/
}
| case {
    GroupName = /(?i)(administrators|domain admins|enterprise admins|schema admins)/
      | Severity := "Critical"
      | RiskScore := 90 ;
    GroupName = /(?i)(backup operators|account operators|server operators|remote desktop users|remote management users|dnsadmins|dhcp administrators|exchange windows permissions|exchange trusted subsystem)/
      | Severity := "High"
      | RiskScore := 70 ;
    FileName = /^net1?\.exe$/i
      | Severity := "Medium"
      | RiskScore := 50 ;
    *
      | Severity := "Low"
      | RiskScore := 30
  }
| table([@timestamp, ComputerName, #event_simpleName, UserName, GroupName, SubjectUserName, FileName, CommandLine, Severity, RiskScore])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR sensor events Falcon Data Replicator (FDR) event stream

Required Tables

UserAccountAddedToGroup* events ProcessRollup2 events

False Positives

IT service desk personnel using net.exe commands to resolve user access tickets involving group membership assignment as part of standard helpdesk change request workflows
Third-party MDM or endpoint management solutions that modify local group memberships during device enrollment, re-imaging, or compliance remediation
Domain controllers generating group change events during legitimate AD replication, forest trust establishment, or scheduled Group Policy application cycles

Additional Local or Domain Groups

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections