Windows Security Log Event ID 4799
4799: A security-enabled local group membership was enumerated
On this page
Windows logs this event when a process enumerates the members of the specified local group on that computer.
In the example below RandyFranklinSmith (an Azure AD account) used Computer Management (mmc.exe) to open the local group Users to view its members. That triggered the event. But the same event is logged by other methods such as "net local group".
This event is valuable for catching so-called APT actors who are scoping out the local accounts on a system they have compromised so that they extend their horizontal kill chain. Of course false positives are possible. Pay attention to the Subject, quantity of events and type of system where logged.
This event has not yet been tested on a domain controller or on a domain joined PC. But MS says "This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in."
Free Security Log Resources by Randy
Subject:
This is who performed the enumeration.
- Security ID
- Account Name
- Account Domain
- Logon ID as logged in 4624
Group:
This is the group whose membership was enumerated.
- Security ID
- Group Name
- Group Domain
Process Information:
- Process ID is the process ID specified when the executable started as logged in 4688.
- Process Name: identifies the program executable that performed the enumeration.
Supercharger Enterprise
Load Balancing for Windows Event Collection
A security-enabled local group membership was enumerated.
Subject:
Security ID: AzureAD\RandyFranklinSmith
Account Name: RandyFranklinSmith
Account Domain: AzureAD
Logon ID: 0x7A1EA
User:
Security ID: DESKTOP-TMO9MI9\Users
Group Name: Users
Group Domain: DESKTOP-TMO9MI9
Process Information:
Process ID: 0x106c
Process Name: C:\Windows\System32\mmc.exe
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection