Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Defender for Identity

Task 3.1: Suspicious additions to sensitive groups

Attackers could add users to highly privileged groups to gain access to more resources, and gain persistence. This alert needs a machine learning period (such as: this user usually doesn’t perform this addition to sensitive groups).

  1. On the DC01 RDP session, open a PowerShell window, and run the following command:

     Add-ADGroupMember -Identity "Domain Admins" -Members RonHD

For more information, review Suspicious additions to sensitive groups (external ID 2024)