EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4728Audit SuccessSecurityT1098

Windows Event ID 4728Member Added to Global Security Group

Logged when an account is added to an Active Directory global security group — including the most sensitive groups in the domain: Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. Because global groups are domain-wide, membership changes here have immediate impact across every domain-joined system.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Unauthorized addition to Domain Admins is one of the highest-severity events in Active Directory. Domain Admins have unrestricted access to every domain-joined system, can reset any password, replicate the domain database (DCSync), and modify Group Policy. Attackers add accounts to Domain Admins immediately after compromise to establish persistence that survives password resets on the original attack vector. The pattern 4720 (account created) + 4728 (added to Domain Admins) within seconds is a near-definitive backdoor account IOC — the new account retains elevated access even if the original compromised account is disabled.

Key Fields

Group NameThe target group. Tier 1 — alert immediately: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, BUILTIN\Administrators. Tier 2 — investigate promptly: DNSAdmins (members can load an arbitrary DLL on the DC via the DNS service, granting SYSTEM code execution), any custom privileged group
Member Account NameThe account being added — a newly created account (verify against 4720) or a low-privilege service account being elevated is especially suspicious
Subject Account NameThe account that performed the addition — should be a known identity management admin. An unexpected actor here is as important a signal as the change itself
Subject Logon IDLinks to the 4624 session that made the change — check logon type and source IP to establish whether the session was legitimate or post-compromise
Group DomainDomain of the modified group — cross-domain changes involving forest trusts are particularly high risk

Investigation Tips

  1. 1.Alert on any addition to Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners — these changes are rare in most environments and should always be validated against a change management ticket.
  2. 2.Backdoor account IOC: 4720 (account created) + 4728 targeting Domain Admins within 60 seconds, both sharing the same Subject Account Name. This sequence is the attacker establishing durable persistence — the new account retains elevated access even after the original compromise is remediated.
  3. 3.DNSAdmins is critically underrated: members can instruct the DC's DNS service to load an arbitrary DLL (via dnscmd.exe /config /serverlevelplugindll), granting SYSTEM code execution on the domain controller. Alert on DNSAdmins additions with Domain Admins-level urgency.
  4. 4.Validate the Subject Account Name performing the addition — should be a known directory admin, not a service account, workstation account, or standard user. Correlate the Subject Logon ID with 4624 to check the source IP and logon type.
  5. 5.Timing is a signal: additions at 2–5 AM, or immediately following a 4625 brute-force spike and 4624 success, are high-confidence attacker activity. Legitimate AD group management rarely occurs outside business hours without a change ticket.
  6. 6.After any suspicious 4728, check 4624 for the newly added account — if it logs on within seconds or minutes, the attacker is actively exploiting the elevated access.

Detection Logic (KQL)

Microsoft Sentinel (KQL) — alert on privileged group additions and the backdoor account creation IOC (4720+4728 within 60 seconds from the same actor).

// Alert on additions to Tier 1 privileged groups
SecurityEvent
| where EventID == 4728
| where TargetUserName in ("Domain Admins", "Enterprise Admins", "Schema Admins",
    "Group Policy Creator Owners", "DnsAdmins")
| project TimeGenerated, SubjectAccount, MemberName, TargetUserName, Computer
| sort by TimeGenerated desc

// Backdoor account IOC: 4720 + 4728 within 60 seconds (same Subject)
let newAccounts = SecurityEvent
| where EventID == 4720
| project CreateTime=TimeGenerated, SubjectAccount, NewAccount=TargetAccount;
let groupAdds = SecurityEvent
| where EventID == 4728
| where TargetUserName has_any ("Domain Admins", "Enterprise Admins")
| project AddTime=TimeGenerated, SubjectAccount, AddedAccount=MemberName;
newAccounts
| join kind=inner groupAdds on SubjectAccount
| where abs(datetime_diff('second', AddTime, CreateTime)) <= 60
| project CreateTime, AddTime, SubjectAccount, NewAccount, Computer

Related Event IDs

4720New account created — 4720 + 4728 within seconds = backdoor account IOC
4732Member added to local Administrators — local escalation companion
4756Member added to universal security group — cross-domain privileged group changes
4672Special privileges at logon — confirms the added account exercised elevated rights
4624Successful logon — check for immediate logon by the newly privileged account

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4728

See Event ID 4728 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects member added to global security group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →