T1098.007 IBM QRadar · QRadar

Detect Additional Local or Domain Groups in IBM QRadar

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups. Accounts may be added to the local administrators group, Remote Desktop Users group, or VPN user groups. On Linux, adversaries may use usermod to add accounts to the sudoers group. In Windows environments, machine accounts may also be added to domain groups, allowing the local SYSTEM account to gain privileges on the domain.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.007 Additional Local or Domain Groups
Canonical reference
https://attack.mitre.org/techniques/T1098/007/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  username AS ActingAccount,
  "MemberName" AS AddedMember,
  "GroupName" AS TargetGroup,
  sourceip AS SourceIP,
  "AccountDomain" AS Domain
FROM events
WHERE
  LOGSOURCESTARTTIME(starttime) > NOW() - 86400000
  AND (
    (
      EventID IN (4728, 4732, 4756, 4761, 4751, 4746)
      AND LOWER("GroupName") IN (
        'administrators', 'domain admins', 'enterprise admins', 'schema admins',
        'group policy creator owners', 'remote desktop users', 'remote management users',
        'network configuration operators', 'backup operators', 'account operators',
        'server operators', 'dnsadmins', 'dhcp administrators',
        'exchange windows permissions', 'exchange trusted subsystem'
      )
    )
    OR (
      EventID = 1
      AND (
        LOWER("Image") LIKE '%\net.exe'
        OR LOWER("Image") LIKE '%\net1.exe'
      )
      AND LOWER("CommandLine") LIKE '%/add%'
      AND (
        LOWER("CommandLine") LIKE '%localgroup%'
        OR LOWER("CommandLine") LIKE '% group %'
      )
    )
  )
ORDER BY starttime DESC
high severity high confidence

Detects group membership additions to sensitive Windows groups using Windows Security Event IDs 4728/4732/4756/4761/4751/4746 parsed by the Windows Security DSM, or Sysmon Event ID 1 process creation events capturing net.exe/net1.exe with /add group arguments in the last 24 hours.

Data Sources

Windows Security Event Log DSMMicrosoft Sysmon DSM

Required Tables

events

False Positives & Tuning

  • IT provisioning systems performing automated group membership assignments during employee onboarding or offboarding cycles
  • Domain administrators running scheduled PowerShell or batch scripts that update group memberships for role-based access control across departments
  • Group Policy-driven group membership changes applied by the domain controller that trigger these events simultaneously across multiple endpoints
Download portable Sigma rule (.yml)

Other platforms for T1098.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add User to Local Administrators Group via net localgroup

    Expected signal: Security Event ID 4720 (user created: argus-testuser). Security Event ID 4732 (member added to local security group: Administrators, MemberName contains argus-testuser, SubjectUserName = executing account). Sysmon Event ID 1: Process Create with Image=net.exe, CommandLine containing 'localgroup Administrators argus-testuser /add'. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Add User to Remote Desktop Users Group

    Expected signal: Security Event ID 4720 (user created: argus-rdptest). Security Event ID 4732 (member added to local security group: Remote Desktop Users). Sysmon Event ID 1: net.exe process with CommandLine='net localgroup "Remote Desktop Users" argus-rdptest /add'. Security Event ID 4688 with same command line if command line auditing is enabled.

  3. Test 3Add User to Local Administrators via PowerShell Add-LocalGroupMember

    Expected signal: Security Event ID 4720 (user created: argus-pstest). Security Event ID 4732 (member added to local security group: Administrators). Sysmon Event ID 1: powershell.exe process with CommandLine containing 'Add-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet call. Note: no net.exe process is created, so command-line detections for net.exe will NOT fire — only audit event and PowerShell logging will capture this.

  4. Test 4Add User Account to Domain Group via net group (Domain-joined only)

    Expected signal: Security Event ID 4728 or 4756 on the Domain Controller (member added to global/universal security group). Sysmon Event ID 1 on the workstation: net.exe with CommandLine containing 'group "Remote Desktop Users" /add /domain'. Security Event ID 4688 on workstation (if command line auditing enabled). On DCs: SubjectUserName will be the account that ran the command, MemberName will be the added account's DN.

  5. Test 5Add User to sudoers Group on Linux

    Expected signal: Linux audit log (auditd): SYSCALL records for useradd and usermod execution with key fields showing the commands. /var/log/auth.log or /var/log/secure: entries showing usermod adding argus-sudotest to sudo group. /etc/group modification timestamp changes detectable via inotify or file integrity monitoring. Syslog: usermod invocation with -aG sudo argus-sudotest arguments.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1098.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.003Additional Cloud RolesT1098.004SSH Authorized KeysT1098.005Device RegistrationT1098.006Additional Container Cluster Roles

Related Techniques

T1098Account ManipulationT1098.001Additional Cloud CredentialsT1136.001Local AccountT1136.002Domain AccountT1021.001Remote Desktop ProtocolT1548.003Sudo and Sudo CachingT1078.002Domain AccountsT1078.003Local AccountsT1069.001Local GroupsT1069.002Domain GroupsT1053.005Scheduled TaskT1543.003Windows Service

Same Tactic: Persistence

Popular Detections