EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4756Audit SuccessSecurityT1098

Windows Event ID 4756Member Added to Universal Security Group

Logged when an account is added to a universal security group in Active Directory.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Universal groups can span domains in a forest, making additions to privileged universal groups (e.g., Enterprise Admins) forest-wide in impact.

Key Fields

Group NameThe target group
Member Account NameWho was added
Subject Account NameWho performed the addition

Investigation Tips

  1. 1.Treat like 4728 for Enterprise Admins or other privileged universal groups.
  2. 2.Verify against change control records.

Related Event IDs

4728Added to global group
4732Added to local group

See Event ID 4756 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects member added to universal security group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →