Windows SecurityAccount ManagementEnhanced Analysis

Event 4732: A member was added to a security-enabled local group.

Quick Answer

Event 4732 records when users are added to security groups, particularly critical for tracking additions to privileged groups like Domain Admins or local Administrators. Unauthorized group membership changes are key indicators of privilege escalation and persistent access.

Technical Details

Windows Security Source

Event ID: 4732

Windows Security- Account Management

Event Description

A member was added to a security-enabled local group.

Key Log Fields

  • MemberName - Account name that was added to the group
  • MemberSid - SID of the added member
  • TargetUserName - Name of the group (e.g., Administrators, Remote Desktop Users)
  • TargetDomainName - Domain or computer name
  • TargetSid - SID of the group (S-1-5-32-544 = Administrators)
  • SubjectUserName - Account that added the member
  • SubjectDomainName - Domain of the adding account
  • SubjectLogonId - Logon ID for correlation

MITRE ATT&CK® Mapping (2)

T1098persistence, privilege-escalation
Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).

T1098.007persistence, privilege-escalation
Additional Local or Domain Groups

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod) For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges. In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)

Event Comparison

Event 4732 is for local groups. Event 4728 logs global group additions, and 4756 is for universal group changes. All three should be monitored for privileged group modifications.

What This Event Means

Event 4732 is generated whenever a user account is added to a security-enabled group on a Windows system, making it one of the most critical events for detecting privilege escalation and unauthorized access expansion. This event captures which account was added, to which group, and by whom, providing complete attribution for group membership changes. In Active Directory environments, this event is especially important for monitoring changes to privileged groups such as Domain Admins, Enterprise Admins, Schema Admins, and Backup Operators. Threat actors who gain initial access to a network often escalate their privileges by adding compromised accounts to administrative groups, granting them broader access to systems and resources. The event is equally important in local system contexts, where attackers add accounts to the local Administrators group to maintain elevated privileges on specific machines. Security teams should maintain a strict baseline of group memberships, particularly for high-privilege groups, and alert on any unexpected additions. In well-managed environments, privileged group membership changes should only occur through formal access request and approval workflows, making unsolicited changes immediate security incidents. The time between initial compromise and privilege escalation via group addition can be very short, sometimes minutes, making real-time alerting on this event critical for rapid incident detection and response.

Security Implications

  • Additions to Domain Admins or Enterprise Admins groups provide attackers with complete network control
  • Local Administrator group additions on critical servers enable attackers to disable security controls and steal data
  • Backup Operators group membership can be abused to extract sensitive data through backup restoration
  • Remote Desktop Users group additions may indicate preparation for persistent remote access
  • Group membership changes during off-hours or by compromised service accounts are strong breach indicators

Detection Strategies

Implement real-time alerting for any additions to tier-0 privileged groups in your Active Directory environment. Create detection rules that fire immediately when Domain Admins, Enterprise Admins, Schema Admins, or Backup Operators groups are modified. Alert on local Administrator group changes on critical assets like domain controllers, certificate authorities, and financial systems. Correlate group membership changes with the modifying account's recent activity to verify legitimacy. Flag any group changes that occur outside approved change windows or without corresponding access request tickets. Monitor for additions of newly created accounts (4720) immediately followed by privileged group membership. Track the frequency and volume of group changes per administrator account to detect compromised admin credentials. Sample SIEM queries and correlation rules for this event will be provided in future documentation.

Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.

Real-World Attack Examples

  • SolarWinds attackers added compromised accounts to privileged groups to escalate access across victim networks

  • Black Basta ransomware operators add compromised domain accounts to Domain Admins group before deploying ransomware

  • LAPSUS$ extortion group notoriously abused privileged group additions after social engineering initial access

Contents