AN0865: Analytic 0865
Detects unauthorized additions of users or machine accounts to privileged local or domain groups (e.g., Administrators, Remote Desktop Users).
Analyst context for executives and security teams
AN0865 is a Windows detection analytic focused on unauthorized additions of user or machine accounts to privileged local or domain groups such as Administrators or Remote Desktop Users. For leaders, the practical issue is control over privileged access: if group membership changes are not governed, monitored, and reviewable, attackers or insiders may gain durable administrative or remote access without needing a new vulnerability.
Executive priority
Prioritize this analytic as an identity and access governance control for Windows environments. It supports incident triage, audit evidence, and operational resilience by helping teams verify who can administer systems or remotely access them. Executives should ask whether privileged group changes are approved, logged, reviewed, and escalated quickly when unauthorized.
Technical view
SOC and IR teams should validate monitoring for additions of users or machine accounts to privileged Windows local and domain groups. Because ATT&CK provides no detection logic for this analytic, teams need to define local baselines for expected administrative group management, identify sensitive groups in scope, and confirm alert routing for unapproved membership additions. Tactics are not specified, so use this as an access-control change analytic rather than mapping it to a single ATT&CK tactic without local context.
Likely telemetry
- Windows group membership change audit records
- Directory service or domain controller audit data for domain group changes
- Endpoint audit data for local group membership changes
- Privileged access management or identity governance change records, where available
- Change-management or ticketing records used to validate authorization
Detection direction
- Inventory privileged local and domain groups that matter to the business, including Administrators and Remote Desktop Users as named examples.
- Alert on additions of users or machine accounts to those groups, then compare against approved change records or privileged access workflows.
- Tune for expected administrative activity while preserving visibility into rare, after-hours, or non-standard membership changes.
- Separate user-account and machine-account additions in triage, since each may imply different access paths and ownership questions.
- Watch for blind spots where local group changes on endpoints are not centrally collected or where domain group changes are logged but not correlated with approval evidence.
Mitigation priorities
- Enforce approval and review workflows for privileged group membership changes.
- Limit who can modify privileged local and domain groups and periodically validate that delegation remains appropriate.
- Maintain an authoritative list of privileged groups and owners for Windows systems and domains.
- Retain audit evidence for membership changes to support investigations and compliance reviews.
- Test incident response procedures for quickly validating and reversing unauthorized privileged group additions.
Analyst notes and limits
This take is based on ATT&CK analytic AN0865 in the enterprise domain. The object is a detection analytic for Windows and describes detection of unauthorized additions to privileged local or domain groups. No relationships, aliases, labels, tactics, or official detection logic were supplied, so implementation details must be derived from the organization’s Windows logging, identity governance, and change-control environment.
ATT&CK did not provide detection logic, tactic mapping, or relationship context for this object. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Local validation is required to determine which groups are privileged, what changes are authorized, and whether telemetry is collected consistently.
Analytic 0865
Detects unauthorized additions of users or machine accounts to privileged local or domain groups (e.g., Administrators, Remote Desktop Users).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c7dd9922234e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0865Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.