Switch branches/tags
Nothing to show
Find file Copy path
cbdc4c5 Jun 21, 2016
1 contributor

Users who have contributed to this file

37 lines (21 sloc) 1.01 KB

#Privileged Group Tracking


Detect potential privilege escalation attempts

Data Required

Windows event logs (ID 4728, 4732, 4756)

Collection Considerations

Event 4728 and 4756 are only logged on domain controllers. Event 4732 may be logged on either the domain controller or an individual computer, depending on whether the group is a domain or a local group. You should ideally collect ID 4732 events on all computers in the domain for full visibility.

Analysis Techniques



Adding a non-privileged account to a privileged group is a common method for attackers to gain more access to a compromised system or domain. In most environments, this operation is not common, so any occurrences of the listed event types should be investigated.

Other Notes

More Info

Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations, Tim Bandos, Digital Guardian