Event ID 4798 — A user's local group membership was enumerated.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A user's local group membership was enumerated.

Message #

A user's local group membership was enumerated.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

User:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Process Information:
	Process ID: %8
	Process Name: %9

Fields #

Name	Description
`TargetUserName` UnicodeString	[User] Account Name.
`TargetDomainName` UnicodeString	[User] Account Domain.
`TargetSid` SID	[User] Security ID.
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`CallerProcessId` Pointer	[Process Information] Process ID.
`CallerProcessName` UnicodeString	[Process Information] Process Name.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4798,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:35.014146+00:00",
    "event_record_id": 2785,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "User",
    "TargetDomainName": "WINDEV2310EVAL",
    "TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "CallerProcessId": "0x57c",
    "CallerProcessName": "C:\\Windows\\System32\\rundll32.exe"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

Enumerate Users Local Group Using Telegram source: The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4798
Example event sourced from https://github.com/NextronSystems/evtx-baseline