4798 A user's local group membership was enumerated
Written when the local groups a user belongs to are enumerated. It captures attacker reconnaissance (surveying who holds which privileges).
Overview
The subcategory is Audit User Account Management. It is generated when a process enumerates the (security-enabled) local groups a specific user belongs to on a computer. It includes the enumerating process and account.
How it is triggered
- Enumeration of group membership via
whoami /groups,net user, various management tools, or APIs. - AD reconnaissance tools such as BloodHound/SharpHound also perform this kind of enumeration when collecting local information.
Security review points
- After intrusion, an attacker enumerates group memberships to understand where privileges lie (MITRE ATT&CK Permission Groups Discovery). Note 4798 from
net.exe, PowerShell, or unfamiliar enumeration tools. - If the enumerating process (
Process Name) is unexpected (an executable in a temp folder, and so on), suspect reconnaissance. Read it together with local-group member enumeration 4799.
Notes for log review
- Some legitimate processes (management tools, logon processing) also enumerate, so baseline them out to remove noise. Note heavy use of
whoamiornet, and short-interval consecutive enumeration in particular. - Read it not alone but as part of a reconnaissance flow, such as enumeration right after logon 4624 followed by access.
Key fields
| Field | Meaning |
|---|---|
Target Account | The user whose membership was enumerated |
Process Name | The process that performed the enumeration |
Subject\Account Name | The subject that performed the enumeration |