T1098.007 Google Chronicle · YARA-L

Detect Additional Local or Domain Groups in Google Chronicle

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups. Accounts may be added to the local administrators group, Remote Desktop Users group, or VPN user groups. On Linux, adversaries may use usermod to add accounts to the sudoers group. In Windows environments, machine accounts may also be added to domain groups, allowing the local SYSTEM account to gain privileges on the domain.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.007 Additional Local or Domain Groups
Canonical reference
https://attack.mitre.org/techniques/T1098/007/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1098_007_sensitive_group_membership_addition {
  meta:
    author = "Detection Engineering"
    description = "Detects accounts added to sensitive local or domain groups via Windows group change events or net.exe command execution (T1098.007)"
    severity = "HIGH"
    mitre_attack_technique = "T1098.007"
    mitre_attack_tactic = "Persistence"
    reference = "https://attack.mitre.org/techniques/T1098/007/"

  events:
    (
      $e.metadata.event_type = "USER_GROUP_MEMBERSHIP_ADD" and
      re.regex($e.target.group.group_display_name,
        `(?i)^(administrators|domain admins|enterprise admins|schema admins|group policy creator owners|remote desktop users|remote management users|network configuration operators|backup operators|account operators|server operators|dnsadmins|dhcp administrators|exchange windows permissions|exchange trusted subsystem|sudoers|wheel|admin)$`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i)\\net1?\.exe$`) and
      re.regex($e.target.process.command_line, `(?i)(localgroup|group).+/add`)
    )

  condition:
    $e
}
high severity high confidence

YARA-L 2.0 rule detecting sensitive group membership additions via Chronicle UDM USER_GROUP_MEMBERSHIP_ADD events targeting known privileged groups, or PROCESS_LAUNCH events capturing net.exe/net1.exe with group /add arguments normalized from Windows Security, Sysmon, or EDR telemetry.

Data Sources

Windows Security Event Log via Chronicle forwarderSysmon via Chronicle forwarderCrowdStrike Falcon via Chronicle integrationCarbon Black via Chronicle integration

Required Tables

UDM normalized events with event_type USER_GROUP_MEMBERSHIP_ADDUDM normalized events with event_type PROCESS_LAUNCH

False Positives & Tuning

  • Identity governance platforms such as CyberArk, SailPoint, or BeyondTrust performing automated privileged access lifecycle operations and group assignments
  • IT operations teams running net.exe commands during bulk user provisioning or deprovisioning following HR system change requests or role transitions
  • Azure AD Connect or on-premises AD synchronization services that periodically reconcile group memberships between on-premises and cloud directories
Download portable Sigma rule (.yml)

Other platforms for T1098.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add User to Local Administrators Group via net localgroup

    Expected signal: Security Event ID 4720 (user created: argus-testuser). Security Event ID 4732 (member added to local security group: Administrators, MemberName contains argus-testuser, SubjectUserName = executing account). Sysmon Event ID 1: Process Create with Image=net.exe, CommandLine containing 'localgroup Administrators argus-testuser /add'. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Add User to Remote Desktop Users Group

    Expected signal: Security Event ID 4720 (user created: argus-rdptest). Security Event ID 4732 (member added to local security group: Remote Desktop Users). Sysmon Event ID 1: net.exe process with CommandLine='net localgroup "Remote Desktop Users" argus-rdptest /add'. Security Event ID 4688 with same command line if command line auditing is enabled.

  3. Test 3Add User to Local Administrators via PowerShell Add-LocalGroupMember

    Expected signal: Security Event ID 4720 (user created: argus-pstest). Security Event ID 4732 (member added to local security group: Administrators). Sysmon Event ID 1: powershell.exe process with CommandLine containing 'Add-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet call. Note: no net.exe process is created, so command-line detections for net.exe will NOT fire — only audit event and PowerShell logging will capture this.

  4. Test 4Add User Account to Domain Group via net group (Domain-joined only)

    Expected signal: Security Event ID 4728 or 4756 on the Domain Controller (member added to global/universal security group). Sysmon Event ID 1 on the workstation: net.exe with CommandLine containing 'group "Remote Desktop Users" /add /domain'. Security Event ID 4688 on workstation (if command line auditing enabled). On DCs: SubjectUserName will be the account that ran the command, MemberName will be the added account's DN.

  5. Test 5Add User to sudoers Group on Linux

    Expected signal: Linux audit log (auditd): SYSCALL records for useradd and usermod execution with key fields showing the commands. /var/log/auth.log or /var/log/secure: entries showing usermod adding argus-sudotest to sudo group. /etc/group modification timestamp changes detectable via inotify or file integrity monitoring. Syslog: usermod invocation with -aG sudo argus-sudotest arguments.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1098.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.003Additional Cloud RolesT1098.004SSH Authorized KeysT1098.005Device RegistrationT1098.006Additional Container Cluster Roles

Related Techniques

T1098Account ManipulationT1098.001Additional Cloud CredentialsT1136.001Local AccountT1136.002Domain AccountT1021.001Remote Desktop ProtocolT1548.003Sudo and Sudo CachingT1078.002Domain AccountsT1078.003Local AccountsT1069.001Local GroupsT1069.002Domain GroupsT1053.005Scheduled TaskT1543.003Windows Service

Same Tactic: Persistence

Popular Detections