detection.wiki

Microsoft-Windows-Security-Auditing › Event 4728

Event ID 4728 — A member was added to a security-enabled global group.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Account Management → Security Group Management
Collection Priority
Recommended (Palantir, others)
Opcode
Info

Description

A member was added to a security-enabled global group.

Message #

A member was added to a security-enabled global group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

NameDescription
MemberName UnicodeString[Member] Account Name.
MemberSid SID[Member] Security ID.
TargetUserName UnicodeString[Group] Group Name.
TargetDomainName UnicodeString[Group] Group Domain.
TargetSid SID[Group] Security ID.
SubjectUserSid SID[Subject] Security ID.
SubjectUserName UnicodeString[Subject] Account Name.
SubjectDomainName UnicodeString[Subject] Account Domain.
SubjectLogonId HexInt64[Subject] Logon ID.
PrivilegeList UnicodeString[Additional Information] Privileges. Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4728,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:34.961043+00:00",
    "event_record_id": 2778,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "-",
    "MemberSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "TargetUserName": "None",
    "TargetDomainName": "WINDEV2310EVAL",
    "TargetSid": "S-1-5-21-1992711665-1655669231-58201500-513",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-"
  },
  "message": ""
}

Detection Patterns #

Community Notes #

Member added to security-enabled global group. May indicate domain-level privilege escalation, ie membership in Domain Admins.

Detection Rules #

View all rules referencing this event →

Elastic # view in reference

  • Active Directory Group Modification by SYSTEM source medium: Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.

Splunk # view in reference

  • Windows AD add Self to Group source: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data.
  • Windows AD Privileged Group Modification source: This detection identifies when users are added to privileged Active Directory groups by leveraging the Windows Security Event Code 4728 along with a lookup of privileged AD groups provided by Splunk Enterprise Security. Attackers often add user accounts to privileged AD groups to escalate privileges or maintain persistence within an Active Directory environment. Monitoring for modifications to privileged groups can help identify potential security breaches and unauthorized access attempts.

References #