Windows Security Log Event ID 4798

Operating Systems	Windows 2016 and 10 Windows Server 2019
Category • Subcategory	Account Management • User Account Management
Type	Success
Corresponding events in Windows 2003 and before

Discussions on Event ID 4798

4798: A user's local group membership was enumerated.

On this page

Description of this event
Field level details
Examples
Discuss this event
Mini-seminars on this event

Windows logs this event when a process enumerates the local groups to which a the specified user belongs on that computer.

In the example below RandyFranklinSmith (an Azure AD account) used Computer Management (mmc.exe) to open the local user Administrator and click on his Member of Tab. That triggered the event. But the same event is logged by other methods such as the "net user" command.

This event is valuable for catching so-called APT actors who are scoping out the local accounts on a system they have compromised so that they extend their horizontal kill chain. Of course false positives are possible. Pay attention to the Subject, quantity of events and type of system where logged.

This event has not yet been tested on a domain controller or on a domain joined PC and specifying a domain user instead of a local user. But MS says "This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in."

Free Security Log Resources by Randy

Description Fields in 4798

Subject:

This is who performed the enumeration.

Security ID
Account Name
Account Domain
Logon ID as logged in 4624

User:

This is who's group membership was enumerated.

Security ID
Account Name
Account Domain

Process Information:

Process ID is the process ID specified when the executable started as logged in 4688.
Process Name: identifies the program executable that performed the enumeration.

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

Examples of 4798

A user's local group membership was enumerated.

Subject:
   Security ID: AzureAD\RandyFranklinSmith
   Account Name: RandyFranklinSmith
   Account Domain: AzureAD
   Logon ID: 0x7A1EA

User:
   Security ID: DESKTOP-TMO9MI9\Administrator
   Account Name: Administrator
   Account Domain: DESKTOP-TMO9MI9

Process Information:
   Process ID: 0x106c
   Process Name: C:\Windows\System32\mmc.exe

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 4798

Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen

Discussions on Event ID 4798

Upcoming Webinars

Additional Resources

Encyclopedia

•	All Event IDs
•	Audit Policy

Go To Event ID:

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

February 2021 Patch Monday	"Patch Monday: 2 CVE's Exploited in the Wild " - sponsored by LOGbinder

Follow @randyfsmith

Home

Follow @randyfsmith

About | Newsletter | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2021 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.