T1098.007 Splunk · SPL

Detect Additional Local or Domain Groups in Splunk

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups. Accounts may be added to the local administrators group, Remote Desktop Users group, or VPN user groups. On Linux, adversaries may use usermod to add accounts to the sudoers group. In Windows environments, machine accounts may also be added to domain groups, allowing the local SYSTEM account to gain privileges on the domain.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.007 Additional Local or Domain Groups
Canonical reference
https://attack.mitre.org/techniques/T1098/007/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
(
  (EventCode IN (4728, 4732, 4756, 4761, 4751, 4746))
  OR
  (EventCode=1 (Image="*\\net.exe" OR Image="*\\net1.exe") (CommandLine="*localgroup*" OR CommandLine="*group*") CommandLine="*/add*")
)
| eval GroupName=coalesce('TargetUserName', 'GroupName')
| eval AddedMember=coalesce('MemberName', 'MemberSid')
| eval ActingAccount=coalesce('SubjectUserName', 'User')
| eval CommandLineUsed=coalesce(CommandLine, "N/A")
| eval SensitiveGroup=case(
    match(lower(GroupName), "administrators|domain admins|enterprise admins|schema admins|group policy creator owners"), "Critical",
    match(lower(GroupName), "remote desktop users|remote management users|backup operators|account operators|server operators"), "High",
    match(lower(GroupName), "dnsadmins|dhcp administrators|exchange windows permissions|exchange trusted subsystem"), "High",
    match(lower(GroupName), "network configuration operators|print operators|cryptographic operators"), "Medium",
    true(), "Low"
  )
| where SensitiveGroup != "Low" OR (EventCode=1 AND match(lower(CommandLineUsed), "/add"))
| eval RiskScore=case(
    SensitiveGroup="Critical", 90,
    SensitiveGroup="High", 70,
    SensitiveGroup="Medium", 50,
    true(), 30
  )
| table _time, host, EventCode, GroupName, AddedMember, ActingAccount, CommandLineUsed, SensitiveGroup, RiskScore
| sort - RiskScore, - _time
high severity high confidence

Detects account additions to sensitive local and domain security groups using Windows Security Event IDs 4728 (global group), 4732 (local group), 4756 (universal group), and Sysmon Event ID 1 for net.exe/net1.exe /add commands. Assigns a risk score based on group sensitivity level (Critical/High/Medium). Combines both audit log events and process creation telemetry to maximize coverage.

Data Sources

Windows Security Event LogProcess: Process CreationSysmon Event ID 1Active Directory Audit Logs

Required Sourcetypes

WinEventLog:SecurityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT administrators legitimately adding helpdesk or IT staff to Remote Desktop Users for support purposes
  • Automated onboarding scripts that add new employees to standard role-based groups during provisioning
  • Software deployment or patch management services (SCCM, Intune) adding service accounts to local admin groups on managed endpoints
  • Domain controller domain join operations that add machine accounts to specific groups automatically
  • Third-party backup software installers that add their service accounts to Backup Operators group
Download portable Sigma rule (.yml)

Other platforms for T1098.007

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add User to Local Administrators Group via net localgroup

    Expected signal: Security Event ID 4720 (user created: argus-testuser). Security Event ID 4732 (member added to local security group: Administrators, MemberName contains argus-testuser, SubjectUserName = executing account). Sysmon Event ID 1: Process Create with Image=net.exe, CommandLine containing 'localgroup Administrators argus-testuser /add'. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Add User to Remote Desktop Users Group

    Expected signal: Security Event ID 4720 (user created: argus-rdptest). Security Event ID 4732 (member added to local security group: Remote Desktop Users). Sysmon Event ID 1: net.exe process with CommandLine='net localgroup "Remote Desktop Users" argus-rdptest /add'. Security Event ID 4688 with same command line if command line auditing is enabled.

  3. Test 3Add User to Local Administrators via PowerShell Add-LocalGroupMember

    Expected signal: Security Event ID 4720 (user created: argus-pstest). Security Event ID 4732 (member added to local security group: Administrators). Sysmon Event ID 1: powershell.exe process with CommandLine containing 'Add-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet call. Note: no net.exe process is created, so command-line detections for net.exe will NOT fire — only audit event and PowerShell logging will capture this.

  4. Test 4Add User Account to Domain Group via net group (Domain-joined only)

    Expected signal: Security Event ID 4728 or 4756 on the Domain Controller (member added to global/universal security group). Sysmon Event ID 1 on the workstation: net.exe with CommandLine containing 'group "Remote Desktop Users" /add /domain'. Security Event ID 4688 on workstation (if command line auditing enabled). On DCs: SubjectUserName will be the account that ran the command, MemberName will be the added account's DN.

  5. Test 5Add User to sudoers Group on Linux

    Expected signal: Linux audit log (auditd): SYSCALL records for useradd and usermod execution with key fields showing the commands. /var/log/auth.log or /var/log/secure: entries showing usermod adding argus-sudotest to sudo group. /etc/group modification timestamp changes detectable via inotify or file integrity monitoring. Syslog: usermod invocation with -aG sudo argus-sudotest arguments.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1098.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.003Additional Cloud RolesT1098.004SSH Authorized KeysT1098.005Device RegistrationT1098.006Additional Container Cluster Roles

Related Techniques

T1098Account ManipulationT1098.001Additional Cloud CredentialsT1136.001Local AccountT1136.002Domain AccountT1021.001Remote Desktop ProtocolT1548.003Sudo and Sudo CachingT1078.002Domain AccountsT1078.003Local AccountsT1069.001Local GroupsT1069.002Domain GroupsT1053.005Scheduled TaskT1543.003Windows Service

Same Tactic: Persistence

Popular Detections