EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4728Event ID 4732T1098

Event ID 4728 / 4732 — User Added to Privileged Group

Event ID 4728 is logged when a user is added to a global security group (such as Domain Admins). Event ID 4732 covers local security groups (such as the local Administrators group). Unauthorized additions to privileged groups are a critical indicator of privilege escalation.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Security Relevance

Adding an account to Domain Admins, Enterprise Admins, or local Administrators instantly grants that account the highest level of access on your network. Attackers who gain a foothold use this technique to escalate privileges, establish persistence, and move laterally across the domain. This is one of the most impactful actions an attacker can take in an Active Directory environment.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4728
Level:     Information

A member was added to a security-enabled global group.

Subject:
  Security ID:   CORP\Administrator
  Account Name:  Administrator
  Account Domain: CORP
  Logon ID:      0x3E7

Member:
  Security ID:   CORP\svc-backup
  Account Name:  CN=svc-backup,CN=Users,DC=corp,DC=local

Group:
  Security ID:   CORP\Domain Admins
  Group Name:    Domain Admins
  Group Domain:  CORP

Investigation Steps

  1. 1.Identify which group the account was added to — Domain Admins and Enterprise Admins are the highest risk.
  2. 2.Identify the account that was added — is it a known employee account, a service account, or a newly created account?
  3. 3.Check who performed the action (Subject) — was it an authorized admin or an unexpected account?
  4. 4.Look for Event ID 4720 immediately before — the attacker may have created the account then added it to the group.
  5. 5.Check whether this change was part of an approved change request.
  6. 6.Review the timeline — group changes during incidents, off-hours, or after credential attacks are highly suspicious.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Remove the unauthorized account from the group immediately.
  • Reset the credentials of the account that performed the group change.
  • Audit all current members of Domain Admins, Enterprise Admins, Schema Admins, and local Administrators.
  • Enable alerting on 4728/4732 for all privileged groups — any change should trigger immediate review.
  • Implement a tiered admin model — limit who can modify privileged group memberships.
  • Use Protected Users security group for all tier-0 admin accounts to prevent credential theft.

Related Event IDs

4720User account created — attacker may create then immediately escalate
4672Special privileges assigned — confirms the new member used their elevated access
4624Successful logon — check if the newly-added account has logged on
4729Member removed from global group — attacker may clean up after themselves

Related Detection Guides

Privilege EscalationLateral MovementCredential DumpingEvent ID 4720 — User Account Created

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →