EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4756Audit SuccessSecurityT1098

Windows Event ID 4756Member Added to Universal Security Group

Logged when an account is added to a universal security group in Active Directory.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Universal groups can span domains in a forest, making additions to privileged universal groups (e.g., Enterprise Admins) forest-wide in impact.

Key Fields

Group NameThe target group
Member Account NameWho was added
Subject Account NameWho performed the addition

Investigation Tips

  1. 1.Treat like 4728 for Enterprise Admins or other privileged universal groups.
  2. 2.Verify against change control records.

Seeing Event ID 4756 in your own logs? Upload an .evtx file — EventPeeker flags member added to universal security group automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4728Added to global group
4732Added to local group

Go deeper: the full Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide

See Event ID 4756 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects member added to universal security group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →