Enumerate Users Local Group Using Telegram

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1087` Account Discovery

Event coverage

Provider	Event ID	Title
Security-Auditing	4798	A user's local group membership was enumerated.

Stages and Predicates

Stage 1: `search`

search CallerProcessName="*\\telegram.exe" EventCode=4798

Stage 2: `stats`

stats BY user, Computer, EventCode, CallerProcessName, ProcessID, SubjectUserSid, SubjectDomainName, SubjectLogonId

Stage 3: `rename`

rename

Stage 4: `search`

search

Stage 5: `search`

search

Stage 6: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CallerProcessName`	eq	`"*\\telegram.exe"`
`EventCode`	eq	`4798`

Enumerate Users Local Group Using Telegram

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: rename

Stage 4: search

Stage 5: search