EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4728Audit SuccessSecurityT1098

Windows Event ID 4728Member Added to Global Security Group

Logged when an account is added to an Active Directory global security group — including the most sensitive groups in the domain: Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. Because global groups are domain-wide, membership changes here have immediate impact across every domain-joined system.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Unauthorized addition to Domain Admins is one of the highest-severity events in Active Directory. Domain Admins have unrestricted access to every domain-joined system, can reset any password, replicate the domain database (DCSync), and modify Group Policy. Attackers add accounts to Domain Admins immediately after compromise to establish persistence that survives password resets on the original attack vector. The pattern 4720 (account created) + 4728 (added to Domain Admins) within seconds is a near-definitive backdoor account IOC — the new account retains elevated access even if the original compromised account is disabled.

Key Fields

Group NameThe target group. Tier 1 — alert immediately: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, BUILTIN\Administrators. Tier 2 — investigate promptly: DNSAdmins (members can load an arbitrary DLL on the DC via the DNS service, granting SYSTEM code execution), any custom privileged group
Member Account NameThe account being added — a newly created account (verify against 4720) or a low-privilege service account being elevated is especially suspicious
Subject Account NameThe account that performed the addition — should be a known identity management admin. An unexpected actor here is as important a signal as the change itself
Subject Logon IDLinks to the 4624 session that made the change — check logon type and source IP to establish whether the session was legitimate or post-compromise
Group DomainDomain of the modified group — cross-domain changes involving forest trusts are particularly high risk

Investigation Tips

  1. 1.Alert on any addition to Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners — these changes are rare in most environments and should always be validated against a change management ticket.
  2. 2.Backdoor account IOC: 4720 (account created) + 4728 targeting Domain Admins within 60 seconds, both sharing the same Subject Account Name. This sequence is the attacker establishing durable persistence — the new account retains elevated access even after the original compromise is remediated.
  3. 3.DNSAdmins is critically underrated: members can instruct the DC's DNS service to load an arbitrary DLL (via dnscmd.exe /config /serverlevelplugindll), granting SYSTEM code execution on the domain controller. Alert on DNSAdmins additions with Domain Admins-level urgency.
  4. 4.Validate the Subject Account Name performing the addition — should be a known directory admin, not a service account, workstation account, or standard user. Correlate the Subject Logon ID with 4624 to check the source IP and logon type.
  5. 5.Timing is a signal: additions at 2–5 AM, or immediately following a 4625 brute-force spike and 4624 success, are high-confidence attacker activity. Legitimate AD group management rarely occurs outside business hours without a change ticket.
  6. 6.After any suspicious 4728, check 4624 for the newly added account — if it logs on within seconds or minutes, the attacker is actively exploiting the elevated access.

Detection Logic

Microsoft Sentinel (KQL) — alert on privileged group additions and the backdoor account creation IOC (4720+4728 within 60 seconds from the same actor).

// Alert on additions to Tier 1 privileged groups
SecurityEvent
| where EventID == 4728
| where TargetUserName in ("Domain Admins", "Enterprise Admins", "Schema Admins",
    "Group Policy Creator Owners", "DnsAdmins")
| project TimeGenerated, SubjectAccount, MemberName, TargetUserName, Computer
| sort by TimeGenerated desc

// Backdoor account IOC: 4720 + 4728 within 60 seconds (same Subject)
let newAccounts = SecurityEvent
| where EventID == 4720
| project CreateTime=TimeGenerated, SubjectAccount, NewAccount=TargetAccount;
let groupAdds = SecurityEvent
| where EventID == 4728
| where TargetUserName has_any ("Domain Admins", "Enterprise Admins")
| project AddTime=TimeGenerated, SubjectAccount, AddedAccount=MemberName;
newAccounts
| join kind=inner groupAdds on SubjectAccount
| where abs(datetime_diff('second', AddTime, CreateTime)) <= 60
| project CreateTime, AddTime, SubjectAccount, NewAccount, Computer

Seeing Event ID 4728 in your own logs? Upload an .evtx file — EventPeeker flags member added to global security group automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4720New account created — 4720 + 4728 within seconds = backdoor account IOC
4732Member added to local Administrators — local escalation companion
4756Member added to universal security group — cross-domain privileged group changes
4672Special privileges at logon — confirms the added account exercised elevated rights
4624Successful logon — check for immediate logon by the newly privileged account

Frequently Asked Questions

Is Event ID 4728 always suspicious?
No — legitimate admin provisioning generates 4728 constantly. The signal is WHO added WHOM to WHICH group. Domain Admins or DNSAdmins additions from a non-IT account, especially outside business hours, warrant investigation. A 4720 (account created) followed by 4728 within 60 seconds is the backdoor Domain Admin IOC regardless of the adding account.
What is the 4720+4728 backdoor attack sequence?
Attackers create a new account (Event 4720) and immediately add it to Domain Admins (Event 4728) in the same session. The 60-second correlation window is the key filter. Check Subject Account Name on both events — if it's not a known provisioning account, treat as high priority. This create-then-escalate sequence is the most common AD backdoor pattern.
Why is DNSAdmins group membership as dangerous as Domain Admins?
DNSAdmins members can load arbitrary DLLs into the DNS Server service, which runs as SYSTEM on domain controllers. This is a privilege escalation path to Domain Admin-equivalent access without touching the Domain Admins group directly. Any 4728 adding an unexpected account to DNSAdmins should be treated with the same urgency as a Domain Admins addition.
How do I distinguish a backdoor 4728 from a legitimate admin change?
Check four things: (1) Is Subject Account Name a known provisioning account or IT admin? (2) Does a helpdesk ticket or change record exist for this addition? (3) Was there a preceding 4720 (account created) within 60 seconds? (4) Did this happen outside business hours? Legitimate additions almost always pass all four checks — attacker additions typically fail at least one.

Go deeper: the full Event ID 4728 / 4732 — User Added to Privileged Group guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Event ID 4728 / 4732 — User Added to Privileged Group guide

See Event ID 4728 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects member added to global security group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →