System-Initiated Group Membership Addition

About the rule

Rule Type

Standard

Rule Description

Detects group membership additions performed under a system context, which may indicate privilege escalation or automated abuse.

Why this rule?

System-initiated group membership additions represent an unusual activity pattern where the SYSTEM account (S-1-5-18) modifies security group memberships, which is rarely required in legitimate operations and often indicates malware running with SYSTEM privileges, scheduled task abuse, service exploitation, or sophisticated attackers leveraging elevated privileges to grant themselves or compromised accounts access to sensitive resources

Severity

Attention

Rule journey

Attack chain scenario

Privilege Escalation → System Context Execution → Group Membership Addition → Elevated Privileges → Unauthorized Access.

Impact

Unauthorized privilege escalation through system-level group membership modifications, potentially granting attackers elevated access rights.

Rule Requirement

Prerequisites

Enable Windows Security Event Logging for Event IDs 4728, 632, 636.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

Persistence: Account Manipulation - Additional Local or Domain Groups (T1098.007) Privilege Escalation: Account Manipulation - Additional Local or Domain Groups (T1098.007)

Future actions

Known False Positives

Legitimate group changes performed by automated identity management systems, domain controllers, or provisioning scripts running under SYSTEM context.

Next Steps

1. Identification: Identify the account added to the group and the system context performing the action.
2. Analysis: Determine if the group membership change was authorized or part of legitimate provisioning.
3. Response: Review group membership and remove unauthorized accounts, investigate potential privilege escalation.

Mitigation