Event ID 4728 / 4732 — User Added to Privileged Group
Event ID 4728 is logged when a user is added to a global security group (such as Domain Admins). Event ID 4732 covers local security groups (such as the local Administrators group). Unauthorized additions to privileged groups are a critical indicator of privilege escalation.
MITRE ATT&CK
T1098 · Account Manipulation
Persistence
Security Relevance
Adding an account to Domain Admins, Enterprise Admins, or local Administrators instantly grants that account the highest level of access on your network. Attackers who gain a foothold use this technique to escalate privileges, establish persistence, and move laterally across the domain. This is one of the most impactful actions an attacker can take in an Active Directory environment.
Example Log Entry
Log Name: Security Source: Microsoft-Windows-Security-Auditing Event ID: 4728 Level: Information A member was added to a security-enabled global group. Subject: Security ID: CORP\Administrator Account Name: Administrator Account Domain: CORP Logon ID: 0x3E7 Member: Security ID: CORP\svc-backup Account Name: CN=svc-backup,CN=Users,DC=corp,DC=local Group: Security ID: CORP\Domain Admins Group Name: Domain Admins Group Domain: CORP
Investigation Steps
- 1.Identify which group the account was added to — Domain Admins and Enterprise Admins are the highest risk.
- 2.Identify the account that was added — is it a known employee account, a service account, or a newly created account?
- 3.Check who performed the action (Subject) — was it an authorized admin or an unexpected account?
- 4.Look for Event ID 4720 immediately before — the attacker may have created the account then added it to the group.
- 5.Check whether this change was part of an approved change request.
- 6.Review the timeline — group changes during incidents, off-hours, or after credential attacks are highly suspicious.
Check your logs for event id 4728 / 4732 — user added to privileged group — upload an EVTX file for instant detection, no account required.
What To Do Next — Contain It Now
Confirmed the activity is malicious? Take these containment actions immediately — before deeper forensics or hardening.
- 1.If the addition is unauthorized, reverse it immediately — remove the account from the privileged group (undo the 4728/4732).
- 2.Disable the added account and reset its password; also reset the password of the Subject account that performed the change — that account is the likely-compromised one that granted the access.
- 3.Revoke active sessions and Kerberos tickets for both accounts so any access already granted is cut off, not just blocked going forward.
- 4.Review what the added account did while privileged — logons, file/share access, new services (7045) or scheduled tasks (4698) — and contain those actions too.
- 5.Audit the full membership of Domain Admins, Enterprise Admins, and local Administrators for any other unexpected members — attackers commonly add more than one.
- 6.Preserve the Security log and watch for a following Event 1102 (log cleared) before making further changes.
Remediation
- ✓Audit all current members of Domain Admins, Enterprise Admins, Schema Admins, and local Administrators on a recurring schedule, not just during incidents.
- ✓Enable alerting on 4728/4732 for all privileged groups — any change should trigger immediate review.
- ✓Implement a tiered admin model — limit who can modify privileged group memberships.
- ✓Use Protected Users security group for all tier-0 admin accounts to prevent credential theft.
Related Event IDs
Related Detection Guides
Detect Event ID 4728 / 4732 — User Added to Privileged Group in your logs
Upload an .evtx file from servers, domain controllers, or endpoints — EventPeeker automatically detects event id 4728 / 4732 — user added to privileged group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.
Scan for Event ID 4728 / 4732 — User Added to Privileged Group →