DET0310 Suspicious Addition to Local or Domain Groups

Analytics

Detects unauthorized additions of users or machine accounts to privileged local or domain groups (e.g., Administrators, Remote Desktop Users).

Data Component	Name	Channel
User Account Modification (DC0010)	WinEventLog:Security	EventCode=4728, 4729, 4732, 4733, 4756, 4757

Field	Description
TargetGroup	Set to detect high-privileged groups like ‘Administrators’, ‘Domain Admins’, or ‘Remote Desktop Users’
TimeWindow	Restrict detections to business hours or approved maintenance windows
UserContext	Filter out known automated processes or provisioning systems

Detects unexpected use of usermod, gpasswd, or direct modification of /etc/group to elevate user group membership.

Data Component	Name	Channel
User Account Modification (DC0010)	auditd:SYSCALL	SYSCALL for usermod or /etc/group file modification

Field	Description
GroupName	Focus on ‘sudo’, ‘wheel’, or custom high-privilege groups
UserContext	Account that initiated the change (e.g., service account or unrecognized user)
TimeWindow	Detect elevation outside change windows

Detects use of dseditgroup or dscl to add users to privileged macOS groups (e.g., admin).

Data Component	Name	Channel
User Account Modification (DC0010)	macos:unifiedlog	Process execution or directory service changes

Field	Description
GroupName	Focus on ‘admin’ or ‘com.apple.access_ssh’
UserContext	Detect unknown or transient users making group changes
TimeWindow	Detect group modifications at suspicious times