1. Home
  2. Detection Strategies
  3. Suspicious Addition to Local or Domain Groups

Suspicious Addition to Local or Domain Groups

Technique Detected:  Additional Local or Domain Groups | T1098.007

ID: DET0310
Domains: Enterprise
Analytics: AN0865, AN0866, AN0867
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0865

Detects unauthorized additions of users or machine accounts to privileged local or domain groups (e.g., Administrators, Remote Desktop Users).

Log Sources
Data Component Name Channel
User Account Modification (DC0010) WinEventLog:Security EventCode=4728, 4729, 4732, 4733, 4756, 4757
Mutable Elements
Field Description
TargetGroup Set to detect high-privileged groups like 'Administrators', 'Domain Admins', or 'Remote Desktop Users'
TimeWindow Restrict detections to business hours or approved maintenance windows
UserContext Filter out known automated processes or provisioning systems

AN0866

Detects unexpected use of usermod, gpasswd, or direct modification of /etc/group to elevate user group membership.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) auditd:SYSCALL SYSCALL for usermod or /etc/group file modification
Mutable Elements
Field Description
GroupName Focus on 'sudo', 'wheel', or custom high-privilege groups
UserContext Account that initiated the change (e.g., service account or unrecognized user)
TimeWindow Detect elevation outside change windows

AN0867

Detects use of dseditgroup or dscl to add users to privileged macOS groups (e.g., admin).

Log Sources
Data Component Name Channel
User Account Modification (DC0010) macos:unifiedlog Process execution or directory service changes
Mutable Elements
Field Description
GroupName Focus on 'admin' or 'com.apple.access_ssh'
UserContext Detect unknown or transient users making group changes
TimeWindow Detect group modifications at suspicious times