Windows Security Log Event ID 4799

Operating Systems Windows 2016 and 10
Category
 • Subcategory
Account Management
 • Security Group Management
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 4799

4799: A security-enabled local group membership was enumerated

On this page

Windows logs this event when a process enumerates the members of the specified local group on that computer.

In the example below RandyFranklinSmith (an Azure AD account) used Computer Management (mmc.exe) to open the local group Users to view its members. That triggered the event. But the same event is logged by other methods such as "net local group".

This event is valuable for catching so-called APT actors who are scoping out the local accounts on a system they have compromised so that they extend their horizontal kill chain. Of course false positives are possible. Pay attention to the Subject, quantity of events and type of system where logged.

This event has not yet been tested on a domain controller or on a domain joined PC.  But MS says "This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in."

Free Security Log Resources by Randy

Description Fields in 4799

Subject:

This is who performed the enumeration.

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID as logged in 4624

Group:

This is the group whose membership was enumerated.
 

  • Security ID
  • Group Name
  • Group Domain

Process Information:

  • Process ID is the process ID specified when the executable started as logged in 4688.
  • Process Name: identifies the program executable that performed the enumeration. 

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4799

A security-enabled local group membership was enumerated.

Subject:
   Security ID: AzureAD\RandyFranklinSmith
   Account Name: RandyFranklinSmith
   Account Domain: AzureAD
   Logon ID: 0x7A1EA

User:
   Security ID: DESKTOP-TMO9MI9\Users
   Group Name: Users
   Group Domain: DESKTOP-TMO9MI9

Process Information:
   Process ID: 0x106c
   Process Name: C:\Windows\System32\mmc.exe

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources