{
  "id": "4732",
  "source": "windows_security",
  "category": "GroupMgmt",
  "name": "A member was added to a security-enabled local group",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4732 records a member being added to a security-enabled local group, including the local Administrators group.",
  "trigger_scenarios": "Windows generates the event when local group membership changes on the audited system.",
  "key_fields": [
    {
      "field": "Member",
      "explanation": "The account or SID added to the group. Resolve SIDs when a name is unavailable."
    },
    {
      "field": "Group",
      "explanation": "The local group receiving the member. Administrators and Remote Desktop Users are especially important."
    },
    {
      "field": "Subject",
      "explanation": "The identity that made the change. Validate its administrative role and session context."
    }
  ],
  "false_positives": [
    "Endpoint management and approved provisioning workflows can add local administrators.",
    "Break-glass and support processes may temporarily add accounts during incidents."
  ],
  "related_event_ids": [
    "4728",
    "4735",
    "4624"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1098",
      "technique_name": "Account Manipulation"
    },
    {
      "technique_id": "T1078",
      "technique_name": "Valid Accounts"
    }
  ],
  "detection_notes": "T1098 privilege escalation is indicated when Group is Administrators or Remote Desktop Users and Member is a new, dormant, or foreign-domain account. Addition to Administrators followed by 4672 and Type 10 4624 is a concrete local-admin persistence chain.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4732\n| where TargetAccount has_any (\"Administrators\", \"Remote Desktop Users\")\n| project TimeGenerated, Computer, Account, MemberName, TargetAccount",
  "spl_snippet": "index=wineventlog EventCode=4732\n| search TargetUserName IN (\"Administrators\", \"Remote Desktop Users\")\n| table _time, host, SubjectUserName, MemberName, TargetUserName",
  "sample_log": "Member: CORP\\jsmith\nGroup: Administrators\nSubject: CORP\\admin.ops\nComputer: WS-014",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732",
  "route": "/windows-events/4732/",
  "canonical_url": "https://soceventlookup.com/windows-events/4732/",
  "json_url": "/api/events/windows-security/4732.json"
}
