Windows Security Log Event ID 4798
4798: A user's local group membership was enumerated.
On this page
Windows logs this event when a process enumerates the local groups to which a the specified user belongs on that computer.
In the example below RandyFranklinSmith (an Azure AD account) used Computer Management (mmc.exe) to open the local user Administrator and click on his Member of Tab. That triggered the event. But the same event is logged by other methods such as the "net user" command.
This event is valuable for catching so-called APT actors who are scoping out the local accounts on a system they have compromised so that they extend their horizontal kill chain. Of course false positives are possible. Pay attention to the Subject, quantity of events and type of system where logged.
This event has not yet been tested on a domain controller or on a domain joined PC and specifying a domain user instead of a local user. But MS says "This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in."
Free Security Log Resources by Randy
Subject:
This is who performed the enumeration.
- Security ID
- Account Name
- Account Domain
- Logon ID as logged in 4624
User:
This is who's group membership was enumerated.
- Security ID
- Account Name
- Account Domain
Process Information:
- Process ID is the process ID specified when the executable started as logged in 4688.
- Process Name: identifies the program executable that performed the enumeration.
Setup PowerShell Audit Log Forwarding in 4 Minutes