System-Initiated Group Membership Removal

About the rule

Rule Type

Standard

Rule Description

Identifies removal of users from groups by system-level accounts, potentially masking attacker persistence or access changes.

Why this rule?

System-initiated group membership removal is a defensive evasion and anti-forensic technique where attackers running with SYSTEM privileges remove legitimate users from security groups to eliminate witnesses to their activities, ensure exclusive access to compromised resources, hide evidence of unauthorized group membership changes by removing audit trails, or disrupt security operations by removing security team members from administrative groups.

Severity

Attention

Rule journey

Attack chain scenario

Defense Evasion → System Context Execution → Group Membership Removal → Access Modification → Persistence Masking.

Impact

Attackers may remove legitimate users from security groups to mask their activities or maintain exclusive access to compromised resources.

Rule Requirement

Prerequisites

Enable Windows Security Event Logging for Event IDs 4729, 633, 637.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

Persistence: Account Manipulation - Additional Additional Local or Domain Groups (T1098.007) Privilege Escalation: Account Manipulation - Additional Local or Domain Groups (T1098.007)

Future actions

Known False Positives

Scheduled access cleanup tasks, de-provisioning workflows, or security policies removing group memberships automatically.

Next Steps

1. Identification: Identify the account removed from the group and the system context performing the action.
2. Analysis: Determine if the group membership removal was authorized or part of legitimate de-provisioning.
3. Response: Review group membership changes and restore legitimate access if necessary, investigate potential attacker activity.

Mitigation