This note documents detection patterns related to AddMember Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4728 | Member added to security-enabled global group | Critical | Primary indicator of AddMember abuse. Review SubjectUserName (who added) and MemberName (who was added). |
| Security | 4732 | Member added to security-enabled local group | Critical | Used when attackers add accounts to local administrative groups. |
| Security | 4756 | Member added to universal security group | High | Universal groups often grant cross-domain privileges. |
| Security | 4735 | Security-enabled local group changed | Medium | May accompany membership changes. |
| Security | 4672 | Special privileges assigned | High | If attacker adds themselves to privileged group, privileged session may appear shortly after. |
| Sysmon | 1 | Process creation | Medium | Execution of PowerView, net.exe, or other tools performing group modifications. |
| Sysmon | 3 | Network connection | Medium | LDAP or SMB communication with domain controllers during modification. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unexpected admin group membership | Account added to Domain Admins, Enterprise Admins, or Administrators | Critical | Classic privilege escalation technique. |
| Membership change outside maintenance window | Group changes during unusual hours | High | Potential attacker activity. |
| Group membership changes from workstation | Modification initiated from user workstation rather than admin server | High | Possible attacker-controlled host. |
| Immediate privileged actions after membership change | Account performing administrative actions shortly after group addition | Critical | Confirms privilege escalation. |
| Rapid membership modifications | Multiple accounts added to groups in short timeframe | Medium | Possible automated attack chain. |
Common Tools
| Tool | Usage |
|---|---|
| net.exe | Used with net group or net localgroup to add members to groups. |
| PowerView | Uses Add-DomainGroupMember for AD group modification. |
| Impacket | LDAP scripts used to modify group memberships. |
| CrackMapExec | Automates privilege escalation through group manipulation. |
| ADSIEdit | Manual modification of group membership attributes. |
Relevant Artifacts
- Domain controller Security logs (4728, 4732, 4756)
- LDAP modification logs
- Active Directory object metadata
- Sysmon logs (1, 3)
- EDR telemetry identifying AD manipulation tools
- Directory replication metadata
- Prefetch artifacts showing execution of net.exe or PowerView
- Authentication logs following privilege escalation
MITRE ATT&CK References
- T1098 Account Manipulation
- T1078 Valid Accounts
- T1484 Domain Policy Modification
Decision Tree
- Is the suspicious event present?
- Identify group membership modification (4728 / 4732 / 4756).
- What host generated the event?
- Determine workstation performing the modification.
- Is the account expected to perform this action?
- Investigate whether SubjectUserName normally administers group memberships.
- Pivot:
- Source host → inspect execution of net.exe, PowerView, or LDAP tools.
- Target group → review privilege level and security impact.
- Account added → investigate activity after privilege escalation.
- Confirm exploitation
- Determine whether attacker added themselves or controlled account to privileged group.
Example Detection Templates
KQL
SecurityEvent
| where EventID in (4728,4732,4756)
| project TimeGenerated, SubjectUserName, TargetUserName, MemberName
SecurityEvent
| where EventID == 4672
| project TimeGenerated, SubjectUserName
EQL
any where event.code in ("4728","4732","4756")
Sigma
title: Suspicious Active Directory Group Membership Addition
id: addmember-abuse-detection
status: experimental
description: Detects accounts added to security groups which may indicate privilege escalation
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4728
- 4732
- 4756
condition: selection
fields:
- SubjectUserName
- MemberName
falsepositives:
- Legitimate administrative group management
level: medium
tags:
- attack.privilege_escalation
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege review | Audit AD group management permissions | Critical | Restrict who can modify privileged groups. |
| Least privilege | Limit membership modification rights | High | Reduces escalation opportunities. |
| Monitoring | Alert on additions to privileged groups | High | Detects escalation attempts quickly. |
| Privileged access management | Use dedicated admin accounts | High | Limits impact of compromised users. |
| Change management | Require approval for privileged group changes | Medium | Helps distinguish legitimate activity. |