Skip to content

T1098.007 Additional Local or Domain Groups

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.

On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups.43 On Linux, adversaries may use the usermod command for the same purpose.2

For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage Remote Desktop Protocol to log into the endpoints in the future.5 Adversaries may also add accounts to VPN user groups to gain future persistence on the network.1 On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage Sudo and Sudo Caching for elevated privileges.

In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.6

Item Value
ID T1098.007
Sub-techniques T1098.001, T1098.002, T1098.003, T1098.004, T1098.005, T1098.006, T1098.007
Tactics TA0003, TA0004
Platforms Linux, Windows, macOS
Version 1.1
Created 05 August 2024
Last Modified 26 September 2025

Procedure Examples

ID Name Description
G0022 APT3 APT3 has been known to add created accounts to local admin groups to maintain elevated access.11
G0096 APT41 APT41 has added user accounts to the User and Admin groups.10
G1023 APT5 APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.13
S1111 DarkGate DarkGate elevates accounts created through the malware to the local administration group during execution.8
G0035 Dragonfly Dragonfly has added newly created accounts to the administrators group to maintain elevated access.14
G1016 FIN13 FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.15
G0094 Kimsuky Kimsuky has added accounts to specific groups with net localgroup.16
G0059 Magic Hound Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.12
S0039 Net The net localgroup and net group commands in Net can be used to add existing users to local and domain groups.4 3
S0382 ServHelper ServHelper has added a user named “supportaccount” to the Remote Desktop Users and Administrators groups.9
S0649 SMOKEDHAM SMOKEDHAM has added user accounts to local Admin groups.7

References

  1. Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware. Retrieved September 22, 2025. 

  2. Man7. (n.d.). Usermod. Retrieved August 5, 2024. 

  3. Microsoft. (2016, August 31). Net group. Retrieved August 5, 2024. 

  4. Microsoft. (2016, August 31). Net Localgroup. Retrieved August 5, 2024. 

  5. Microsoft. (2017, April 9). Allow log on through Remote Desktop Services. Retrieved August 5, 2024. 

  6. Scarred Monk. (2022, May 6). Real-time detection scenarios in Active Directory environments. Retrieved August 5, 2024. 

  7. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  8. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  9. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  10. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  11. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. 

  12. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  13. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  14. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  15. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. 

  16. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.