EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4732Audit SuccessSecurityT1098

Windows Event ID 4732Member Added to Local Security Group

Logged when an account is added to a local security group on a Windows system. The most security-critical groups are local Administrators (full machine control), Backup Operators (file system bypass via SeBackupPrivilege), and Remote Desktop Users (RDP access). Unlike global group changes (4728), 4732 is machine-specific — but a pattern of 4732 events across multiple machines signals lateral movement preparation at scale.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Adding an account to local Administrators grants unrestricted control of that machine — the added account can install software, read all files, dump credentials from LSASS, and modify system configuration. Attackers use 4732 to establish persistent local admin access on high-value servers, even when their domain privileges are later revoked. Multiple 4732 events from the same account across different machines in quick succession is the lateral movement staging pattern — pre-positioning local admin access before executing the primary objective.

Key Fields

Group NameThe target local group. Critical: BUILTIN\Administrators (full machine control, LSASS access); Backup Operators (SeBackupPrivilege and SeRestorePrivilege — can read any file bypassing ACLs, including NTDS.dit on DCs); Remote Desktop Users (grants RDP access). Also review: Hyper-V Administrators, Remote Management Users (WinRM)
Member Account NameThe account being added — a domain account appearing in 4732 events across multiple machines is a lateral movement staging indicator
Subject Account NameWho performed the addition — should be a known local or domain admin, not a standard user or service account
Subject Logon IDSession that performed the change — correlate with 4624 to check logon type and source IP

Investigation Tips

  1. 1.Backup Operators on Domain Controllers: members get SeBackupPrivilege and SeRestorePrivilege, allowing them to read any file regardless of ACLs — including NTDS.dit. An attacker with Backup Operators membership on a DC can exfiltrate the full AD password database. Alert on Backup Operators additions on DCs with Administrators-level urgency.
  2. 2.Cross-machine pattern: same Member Account Name in 4732 events across 3+ hosts within a short window = lateral movement preparation. The attacker is staging local admin access ahead of their next action.
  3. 3.On domain-joined machines, local Administrators membership should be controlled by Group Policy (Restricted Groups or LGPO). A standalone 4732 addition not reflected in GPO is suspicious — it indicates a manual escalation attempt, even if overridden on next GPO refresh.
  4. 4.Remote Desktop Users addition: correlate with subsequent Type 10 logons (4624) from the same account — attacker establishing an RDP backdoor on the target machine.
  5. 5.Verify the Subject Account Name has legitimate authority to modify local groups. A standard domain user or service account performing this change is a privilege escalation indicator.

Related Event IDs

4728Member added to global group — domain-wide escalation companion
4720New account created — may precede group addition for backdoor persistence
4624Logon event — check for Type 10 RDP logons by newly added Remote Desktop Users
4672Special privileges at logon — confirms the added account exercised elevated rights

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4732

See Event ID 4732 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects member added to local security group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →