Identifies when a user account was created and then added to the builtin Administrators group in the same day.
MITRE ATT&CK Tactics
Windows Security Event Log
1. Review the user account(s) which has been added to the privileged domain groups and identify the account owners.
2. Confirm if the request is valid.
If not, disable the accounts immediately and start an investigation to review account activity into your environment.