← Back to Explore
T1098.007
Additional Local or Domain Groups
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod) For example, accounts may be added to the local administrators g...
WindowsmacOSLinux
9
Detections
1
Sources
7
Threat Actors
BY SOURCE
9elastic
PROCEDURES (5)
Privilege3 detections
Auto-extracted: 3 detections for privilege
Persist2 detections
Auto-extracted: 2 detections for persist
Unusual2 detections
Auto-extracted: 2 detections for unusual
Privilege1 detections
Auto-extracted: 1 detections for privilege
Persist1 detections
Auto-extracted: 1 detections for persist
DETECTIONS (9)
Linux Group Creation
elasticlow
Linux User Added to Privileged Group
elasticlow
Potential Admin Group Account Addition
elasticmedium
Spike in Group Lifecycle Change Events
elasticlow
Spike in Group Management Events
elasticlow
Unusual Group Name Accessed by a User
elasticlow
User Added to Privileged Group in Active Directory
elasticmedium
User Added to the Admin Group
elasticlow
User or Group Creation/Modification
elasticlow