Event 4756: A member was added to a security-enabled universal group.
Quick Answer
Event 4756 is generated when a member is added to a security-enabled universal group in Active Directory. This event is critical for detecting privilege escalation in multi-domain forests where universal groups span domain boundaries, and for monitoring sensitive cross-domain administrative group memberships that enable enterprise-wide access.
Technical Details
Event ID: 4756
Windows Security- Account Management
Event Description
A member was added to a security-enabled universal group.
Key Log Fields
MemberName- Account name that was added to the groupMemberSid- SID of the added memberTargetUserName- Name of the universal groupTargetDomainName- Domain of the groupTargetSid- SID of the groupSubjectUserName- Account that added the memberSubjectDomainName- Domain of the adding accountSubjectLogonId- Logon ID for correlation
MITRE ATT&CK® Mapping (2)
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod) For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges. In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)
Event Comparison
Event 4756 tracks universal group membership additions, Event 4728 monitors global groups, and Event 4732 tracks local groups. In multi-domain forests, universal groups (Event 4756) pose higher risk due to cross-domain scope and should receive heightened monitoring.
What This Event Means
Event 4756 monitors universal group membership changes in Active Directory environments, which is important for detecting privilege escalation that crosses domain boundaries. Universal groups have membership and access permissions that span all domains in an Active Directory forest, making them valuable targets for attackers seeking enterprise-wide access. While domain local and global groups are restricted to single domain scopes, universal groups enable centralized administration of permissions across the entire forest. Attackers who compromise credentials with permissions to modify universal group memberships can grant themselves access to resources across all domains. This event records the security principal being added, the target universal group, and the account performing the modification. Security teams should monitor modifications to privileged universal groups including Schema Admins, Enterprise Admins, and any custom universal groups with administrative permissions.
Security Implications
- Enterprise-wide privilege escalation through addition to Enterprise Admins or Schema Admins universal groups
- Cross-domain lateral movement enabled by universal group memberships granting access to resources in multiple domains
- Persistent access mechanisms where attackers add compromised accounts to universal groups for forest-wide administrative rights
- Synchronized group membership abuse in Exchange environments where universal groups control mailbox access across domains
- APT campaigns targeting multi-domain enterprises frequently abuse universal groups for scalable access across the forest
Detection Strategies
Monitor Event 4756 for all security-enabled universal groups, especially Enterprise Admins, Schema Admins, and any custom privileged universal groups. Establish an allowlist of authorized accounts permitted to modify universal group memberships and alert on deviations. Correlate Event 4756 with Event 4728 (global group changes) and Event 4732 (local group changes) for comprehensive group modification visibility. Alert immediately on additions to high-privilege universal groups regardless of source. Monitor for membership additions during off-hours, from unusual source IPs, or from recently compromised accounts. Track the time between account compromise indicators and universal group membership modifications to detect rapid privilege escalation. Monitor service accounts and application accounts for any universal group memberships, as these should rarely belong to administrative groups.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Multi-domain APT compromise: After gaining domain admin in child domain, attackers added compromised account to Enterprise Admins universal group for access to parent domain and all child domains
Exchange compromise: Attackers added account to Organization Management universal group granting administrative control over all Exchange servers and mailboxes across multi-domain forest
Schema modification attack: Attackers added compromised service account to Schema Admins universal group before modifying Active Directory schema to create hidden administrative backdoor accounts
Cross-domain ransomware: Following initial compromise in subsidiary domain, attackers added account to universal group with access to file shares across parent and peer domains before deploying encryption