INCIDENT RESPONSE — EASY ⭐⭐
IR-05
ACCOUNT PRIVILEGE ESCALATION — IAM / WINDOWS SECURITY LOG
Loading incident: SOC-IR-0049 — Unauthorised privilege change detected...

OBJECTIVES

Read the incident ticket
Find the privilege change event (4728/4732)
Identify who granted the privilege
Identify which account was elevated
Check if the change was authorised
Look up both accounts in Active Directory
Submit the IR report
🎫
Incident Ticket
🪟
Event Viewer
👤
AD Lookup
📋
Change Log
📝
Notes
📊
IR Report
SOC WORKSTATION
Ticket
Event Viewer
AD Lookup
Change Log
Notes
IR Report
--:--:--
PHASE 1 — TRIAGE
MISSION BRIEF
IR-08 — EASY ⭐⭐ — SEC+ / CySA+

PRIVILEGE ESCALATION ALERT

TICKET: SOC-IR-0049 | Domain: APEXCORP | Priority: CRITICAL

SCENARIO

The SIEM fired a critical alert — a user account was added to the Domain Admins group without an approved change request. Domain Admins have unrestricted access to every system in the ApexCorp domain. Your job is to investigate who made the change, which account was elevated, and whether it was authorised.

WHAT TO DO

  • Read the Incident Ticket
  • Open Event Viewer — find Event 4728 (member added to security group)
  • Note who performed the change and which account was elevated
  • Look up both accounts in Active Directory
  • Check the Change Log — was there an approved ticket for this?
  • Submit your findings in the IR Report

KEY CONCEPTS

Event ID 4728 — a member was added to a security-enabled global group (e.g. Domain Admins). This is one of the highest-value events to monitor in any Windows environment.

Event ID 4732 — same but for local groups. Both should alert immediately when the target group is Domain Admins or any privileged group.

Separation of duties — only designated IAM staff should be able to add accounts to privileged groups. Any such change should have an approved change request.

KEY EVENT IDS — PRIVILEGE MONITORING

Event IDMeaning
4728Member added to global security group
4729Member removed from global security group
4732Member added to local security group
4756Member added to universal security group
4672Special privileges assigned to logon
INCIDENT TICKET — SOC-IR-0049
SOC-IR-0049 — Unauthorised Domain Admin Group Modification
Severity:
CRITICAL
Created:
2026-05-11 09:14 UTC
Source:
SIEM — Windows Security Event 4728
Domain Controller:
DC01.apexcorp.local
Alert rule:
Privileged group membership change — Domain Admins
Status:
OPEN — Immediate triage required
ALERT DESCRIPTION

At 09:11 UTC Windows Security Event 4728 was logged on DC01.apexcorp.local. A user account was added to the Domain Admins group — the most privileged group in the ApexCorp domain. No approved change request exists in the ITSM system for this modification.

Domain Admin access grants unrestricted control over all domain-joined systems, Active Directory objects, Group Policy, and credentials. An unauthorised Domain Admin account represents a critical security risk.

ANALYST TASKS
1. Identify which account was added to Domain Admins
2. Identify who performed the change (the actor)
3. Check the change log — was this approved?
4. Look up both accounts in Active Directory
5. Recommend immediate remediation
WINDOWS EVENT VIEWER — DC01.apexcorp.local — Security Log
All
Privilege Events
4728 / 4732
Critical
Event ID
Time (UTC)
Level
Category
Description
Click an event to inspect it
ACTIVE DIRECTORY LOOKUP — APEXCORP
Enter a username from the event log to look up their Active Directory profile and group memberships...
ITSM CHANGE LOG — Active Directory Changes (Last 7 Days)
APPROVED AD CHANGE REQUESTS — Week of 2026-05-05
ANALYST NOTES
IR REPORT — SOC-IR-0049
INCIDENT FINDINGS
Score: 0 / 7