#Privileged Group Tracking
Detect potential privilege escalation attempts
Windows event logs (ID 4728, 4732, 4756)
Event 4728 and 4756 are only logged on domain controllers. Event 4732 may be logged on either the domain controller or an individual computer, depending on whether the group is a domain or a local group. You should ideally collect ID 4732 events on all computers in the domain for full visibility.
Adding a non-privileged account to a privileged group is a common method for attackers to gain more access to a compromised system or domain. In most environments, this operation is not common, so any occurrences of the listed event types should be investigated.
Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations, Tim Bandos, Digital Guardian