1. Home
  2. Techniques
  3. Enterprise
  4. Account Manipulation
  5. Additional Local or Domain Groups

Account Manipulation: Additional Local or Domain Groups

ID Name
T1098.001 Additional Cloud Credentials
T1098.002 Additional Email Delegate Permissions
T1098.003 Additional Cloud Roles
T1098.004 SSH Authorized Keys
T1098.005 Device Registration
T1098.006 Additional Container Cluster Roles
T1098.007 Additional Local or Domain Groups

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.

On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups.[1][2] On Linux, adversaries may use the usermod command for the same purpose.[3]

For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage Remote Desktop Protocol to log into the endpoints in the future.[4] Adversaries may also add accounts to VPN user groups to gain future persistence on the network.[5] On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage Sudo and Sudo Caching for elevated privileges.

In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.[6]

ID: T1098.007
Sub-technique of:  T1098
Platforms: Linux, Windows, macOS
Contributors: Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
Version: 1.1
Created: 05 August 2024
Last Modified: 26 September 2025
Version Permalink

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to add created accounts to local admin groups to maintain elevated access.[7]
G0096 APT41

APT41 has added user accounts to the User and Admin groups.[8]

G1023 APT5

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.[9]
S1111 DarkGate

DarkGate elevates accounts created through the malware to the local administration group during execution.[10]
G0035 Dragonfly

Dragonfly has added newly created accounts to the administrators group to maintain elevated access.[11]
G1016 FIN13

FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.[12]
G0094 Kimsuky

Kimsuky has added accounts to specific groups with net localgroup.[13]
G0059 Magic Hound

Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.[14]
S0039 Net

The net localgroup and net group commands in Net can be used to add existing users to local and domain groups.[1] [2]
S0382 ServHelper

ServHelper has added a user named "supportaccount" to the Remote Desktop Users and Administrators groups.[15]
S0649 SMOKEDHAM

SMOKEDHAM has added user accounts to local Admin groups.[16]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0310 Suspicious Addition to Local or Domain Groups AN0865

Detects unauthorized additions of users or machine accounts to privileged local or domain groups (e.g., Administrators, Remote Desktop Users).
AN0866

Detects unexpected use of usermod, gpasswd, or direct modification of /etc/group to elevate user group membership.
AN0867

Detects use of dseditgroup or dscl to add users to privileged macOS groups (e.g., admin).

References

  1. Microsoft. (2016, August 31). Net Localgroup. Retrieved August 5, 2024.
  2. Microsoft. (2016, August 31). Net group. Retrieved August 5, 2024.
  3. Man7. (n.d.). Usermod. Retrieved August 5, 2024.
  4. Microsoft. (2017, April 9). Allow log on through Remote Desktop Services. Retrieved August 5, 2024.
  5. Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware. Retrieved September 22, 2025.
  6. Scarred Monk. (2022, May 6). Real-time detection scenarios in Active Directory environments. Retrieved August 5, 2024.
  7. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  8. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  1. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  2. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  3. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  4. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  5. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  6. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  7. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  8. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.