title: Additional Local or Domain Groups (T1098.007)
id: df00tech-t1098-007
status: experimental
description: "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups. Accounts may be added to the local administrators group, Remote Desktop Users group, or VPN user groups. On Linux, adversaries may use usermod to add accounts to the sudoers group. In Windows environments, machine accounts may also be added to domain groups, allowing the local SYSTEM account to gain privileges on the domain."
references:
  - https://attack.mitre.org/techniques/T1098/007/
  - https://df00tech.com/detections/T1098.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators legitimately adding helpdesk or IT staff to Remote Desktop Users for support purposes
  - Automated onboarding scripts that add new employees to standard role-based groups during provisioning
  - "Software deployment or patch management services (SCCM, Intune) adding service accounts to local admin groups on managed endpoints"
  - Domain controller domain join operations that add machine accounts to specific groups automatically
  - Third-party backup software installers that add their service accounts to Backup Operators group
level: high