When Microsoft Defender for Identity flags a 'Suspicious modification of a sensitive security group', what kind of high-impact attack preparation is often being done by an attacker?

When Microsoft Defender for Identity (MDI), a cloud-based security solution that uses Active Directory signals to detect threats, flags a 'Suspicious modification of a sensitive security group', it indicates that an attacker is performing a crucial step in preparing for a high-impact attack. A sensitive security group in Active Directory is a collection of user accounts, computer accounts, or other groups that possess highly privileged access over critical Active Directory objects, systems, or data. Examples include 'Domain Admins', which grants full administrative control over all domain controllers and member servers in a domain, or 'Enterprise Admins', which provides full administrative control over all domains in an Active Directory forest. Modifying such a group, typically by adding a compromised user account or a newly created malicious account to its membership, serves multiple high-impact attack preparation goals. Primarily, this action is a direct attempt at privileg....