Description
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the usermod command for the same purpose.(Citation: Linux Usermod)
For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage Remote Desktop Protocol to log into the endpoints in the future.(Citation: Microsoft RDP Logons) Adversaries may also add accounts to VPN user groups to gain future persistence on the network.(Citation: Cyber Security News) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage Sudo and Sudo Caching for elevated privileges.
In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)
Platforms
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has added user accounts to the User and Admin groups.(Citation: FireEye APT41 Aug 2019) |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to add created accounts to local admin groups to maintain elevated access.(Citation: apts... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.(Cita... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has created their own accounts with Local Administrator privileges to maintain access to systems with sh... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has added newly created accounts to the administrators group to maintain elevated access.(Citation:... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has assigned newly created accounts the sysadmin role to maintain persistence.(Citation: Sygnia Elephan... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has added accounts to specific groups with <code>net localgroup</code>.(Citation: KISA Operation Muza... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has added user accounts to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021) |
| S0039 | Net | Tool | The `net localgroup` and `net group` commands in [Net](https://attack.mitre.org/software/S0039) can be used to add existing users to local and domain ... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) elevates accounts created through the malware to the local administration group during execution.(... |
| S0382 | ServHelper | Malware | [ServHelper](https://attack.mitre.org/software/S0382) has added a user named "supportaccount" to the Remote Desktop Users and Administrators groups.(C... |
References
- Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware. Retrieved September 22, 2025.
- Man7. (n.d.). Usermod. Retrieved August 5, 2024.
- Microsoft. (2016, August 31). Net group. Retrieved August 5, 2024.
- Microsoft. (2016, August 31). Net Localgroup. Retrieved August 5, 2024.
- Microsoft. (2017, April 9). Allow log on through Remote Desktop Services. Retrieved August 5, 2024.
- Scarred Monk. (2022, May 6). Real-time detection scenarios in Active Directory environments. Retrieved August 5, 2024.
Frequently Asked Questions
What is T1098.007 (Additional Local or Domain Groups)?
T1098.007 is a MITRE ATT&CK technique named 'Additional Local or Domain Groups'. It belongs to the Persistence, Privilege Escalation tactic(s). An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the `net localgroup` and `n...
How can T1098.007 be detected?
Detection of T1098.007 (Additional Local or Domain Groups) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1098.007?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1098.007?
Known threat groups using T1098.007 include: APT41, APT3, Magic Hound, APT5, Dragonfly, FIN13, Kimsuky.