Event 4728: A member was added to a security-enabled global group.
Quick Answer
Event 4728 logs when a user is added to a security-enabled global group in Active Directory. This event is critical for detecting privilege escalation, unauthorized administrative access, and persistence mechanisms where attackers add compromised accounts to privileged groups like Domain Admins, Enterprise Admins, or custom administrative groups.
Technical Details
Event ID: 4728
Windows Security- Account Management
Event Description
A member was added to a security-enabled global group.
Key Log Fields
MemberName- Account name that was added to the groupMemberSid- SID of the added memberTargetUserName- Name of the groupTargetDomainName- Domain of the groupTargetSid- SID of the groupSubjectUserName- Account that added the memberSubjectDomainName- Domain of the adding accountSubjectLogonId- Logon ID for correlation
MITRE ATT&CK® Mapping (2)
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod) For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges. In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)
Event Comparison
Event 4728 tracks global group membership changes, while Event 4732 monitors local security groups and Event 4756 tracks universal groups. All three should be monitored together for complete coverage of group membership modifications.
What This Event Means
Event 4728 provides visibility into Active Directory group membership changes that can indicate privilege escalation attempts or persistent access establishment. When an attacker compromises credentials with sufficient privileges (typically Domain Admin or delegated permissions), adding accounts to privileged groups is a common technique to maintain elevated access and move laterally. This event records the security principal being added, the target group, and the account that performed the modification. Security teams should establish baselines of expected group membership changes and alert on modifications to highly privileged groups, especially outside normal business hours or from unusual source accounts.
Security Implications
- Attackers adding compromised accounts to Domain Admins or Enterprise Admins for persistent administrative access across the domain
- Addition to groups with delegated administrative permissions (Exchange admins, Backup Operators, Account Operators) to enable lateral movement
- Insider threats escalating their own privileges by adding personal accounts to administrative groups
- Compromised service accounts being added to groups they shouldn't belong to as a persistence mechanism
- APT groups like APT29 (Cozy Bear) and FIN6 frequently add accounts to privileged groups after initial compromise
Detection Strategies
Monitor Event 4728 for all security-enabled global groups, but prioritize high-privilege groups with dedicated alerting. Establish an allowlist of authorized accounts permitted to modify group memberships and alert on any deviations. Correlate with Event 4732 (local group membership changes) and Event 4756 (universal group changes) for comprehensive group modification visibility. Alert immediately on additions to Domain Admins, Enterprise Admins, Schema Admins, Administrators, and any custom Tier 0 administrative groups. Monitor for membership additions during off-hours, from unusual source IPs, or from recently created accounts. Track the temporal proximity between account compromise indicators and group membership changes.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
APT29 intrusions: After compromising domain credentials through credential dumping, attackers added compromised service accounts to Domain Admins for persistent enterprise-wide access
Ryuk ransomware deployment: Attackers added compromised accounts to Backup Operators and Domain Admins before encrypting backups and deploying ransomware across the network
FIN6 campaigns: Following initial access through compromised VPN credentials, attackers added accounts to local administrators group on point-of-sale systems for persistent access
Insider threat investigation: Employee added personal account to Exchange Organization Management group to access executive mailboxes before departure