T1098.007 Sumo Logic CSE · Sumo

Detect Additional Local or Domain Groups in Sumo Logic CSE

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups. Accounts may be added to the local administrators group, Remote Desktop Users group, or VPN user groups. On Linux, adversaries may use usermod to add accounts to the sudoers group. In Windows environments, machine accounts may also be added to domain groups, allowing the local SYSTEM account to gain privileges on the domain.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.007 Additional Local or Domain Groups
Canonical reference
https://attack.mitre.org/techniques/T1098/007/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*")
| parse regex "\bEventID[\s=:]+(?P<EventID>\d{4})" nodrop
| parse regex "TargetUserName\s*=\s*(?P<TargetUserName>[^\s,\r\n]+)" nodrop
| parse regex "MemberName\s*=\s*(?P<MemberName>[^\s,\r\n]+)" nodrop
| parse regex "SubjectUserName\s*=\s*(?P<SubjectUserName>[^\s,\r\n]+)" nodrop
| parse regex "CommandLine\s*=\s*(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?:^|\s)Image\s*=\s*(?P<Image>[^\r\n]+)" nodrop
| where (
    EventID in ("4728","4732","4756","4761","4751","4746")
    and toLowerCase(TargetUserName) in (
      "administrators","domain admins","enterprise admins","schema admins",
      "group policy creator owners","remote desktop users","remote management users",
      "network configuration operators","backup operators","account operators",
      "server operators","dnsadmins","dhcp administrators",
      "exchange windows permissions","exchange trusted subsystem"
    )
  )
  or (
    EventID = "1"
    and (toLowerCase(Image) contains "net.exe" or toLowerCase(Image) contains "net1.exe")
    and toLowerCase(CommandLine) contains "/add"
    and (
      toLowerCase(CommandLine) contains "localgroup"
      or toLowerCase(CommandLine) contains " group "
    )
  )
| eval SensitiveGroup = if(
    toLowerCase(TargetUserName) in ("administrators","domain admins","enterprise admins","schema admins"),
    "Critical",
    if(
      toLowerCase(TargetUserName) in ("remote desktop users","backup operators","account operators","server operators","remote management users"),
      "High",
      "Medium"
    )
  )
| table _messageTime, _sourceHost, EventID, TargetUserName, MemberName, SubjectUserName, CommandLine, SensitiveGroup
| sort by _messageTime desc
high severity medium confidence

Detects account additions to sensitive local and domain groups using regex field extraction from Windows Security and Sysmon logs ingested via Sumo Logic collectors, with risk classification by target group sensitivity.

Data Sources

Windows Security Event Log via Sumo Logic installed collectorSysmon operational log via Sumo Logic installed collector

Required Tables

Sumo Logic partitions indexed from Windows and Sysmon _sourceCategory paths

False Positives & Tuning

  • Scheduled IT provisioning tasks adding service accounts or new employees to required security groups during onboarding automation pipelines
  • Active Directory domain join operations that automatically place machine accounts into domain groups as part of the computer account provisioning process
  • Security team performing authorized red team exercises or penetration testing that includes group membership modification as part of the engagement scope
Download portable Sigma rule (.yml)

Other platforms for T1098.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add User to Local Administrators Group via net localgroup

    Expected signal: Security Event ID 4720 (user created: argus-testuser). Security Event ID 4732 (member added to local security group: Administrators, MemberName contains argus-testuser, SubjectUserName = executing account). Sysmon Event ID 1: Process Create with Image=net.exe, CommandLine containing 'localgroup Administrators argus-testuser /add'. Security Event ID 4688 (if command line auditing enabled).

  2. Test 2Add User to Remote Desktop Users Group

    Expected signal: Security Event ID 4720 (user created: argus-rdptest). Security Event ID 4732 (member added to local security group: Remote Desktop Users). Sysmon Event ID 1: net.exe process with CommandLine='net localgroup "Remote Desktop Users" argus-rdptest /add'. Security Event ID 4688 with same command line if command line auditing is enabled.

  3. Test 3Add User to Local Administrators via PowerShell Add-LocalGroupMember

    Expected signal: Security Event ID 4720 (user created: argus-pstest). Security Event ID 4732 (member added to local security group: Administrators). Sysmon Event ID 1: powershell.exe process with CommandLine containing 'Add-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet call. Note: no net.exe process is created, so command-line detections for net.exe will NOT fire — only audit event and PowerShell logging will capture this.

  4. Test 4Add User Account to Domain Group via net group (Domain-joined only)

    Expected signal: Security Event ID 4728 or 4756 on the Domain Controller (member added to global/universal security group). Sysmon Event ID 1 on the workstation: net.exe with CommandLine containing 'group "Remote Desktop Users" /add /domain'. Security Event ID 4688 on workstation (if command line auditing enabled). On DCs: SubjectUserName will be the account that ran the command, MemberName will be the added account's DN.

  5. Test 5Add User to sudoers Group on Linux

    Expected signal: Linux audit log (auditd): SYSCALL records for useradd and usermod execution with key fields showing the commands. /var/log/auth.log or /var/log/secure: entries showing usermod adding argus-sudotest to sudo group. /etc/group modification timestamp changes detectable via inotify or file integrity monitoring. Syslog: usermod invocation with -aG sudo argus-sudotest arguments.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1098.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.003Additional Cloud RolesT1098.004SSH Authorized KeysT1098.005Device RegistrationT1098.006Additional Container Cluster Roles

Related Techniques

T1098Account ManipulationT1098.001Additional Cloud CredentialsT1136.001Local AccountT1136.002Domain AccountT1021.001Remote Desktop ProtocolT1548.003Sudo and Sudo CachingT1078.002Domain AccountsT1078.003Local AccountsT1069.001Local GroupsT1069.002Domain GroupsT1053.005Scheduled TaskT1543.003Windows Service

Same Tactic: Persistence

Popular Detections