4799 A security-enabled local group membership was enumerated
Written when the members of a security-enabled local group are enumerated. It is a high-value detection event for catching reconnaissance by tools like BloodHound.
Overview
The subcategory is Audit Security Group Management. It is generated when a process enumerates the member list of a local group (such as Administrators) on a computer. It includes the enumerating process and account.
How it is triggered
- Member enumeration via
net localgroup Administrators,Get-LocalGroupMember, or various APIs. SharpHound(the BloodHound collector) heavily uses this enumeration when collecting local administrators-group members (mapping lateral-movement paths).
Security review points
- Detecting reconnaissance: an attacker learns which accounts are local administrators to decide lateral-movement targets. If
Administratorsmember enumeration occurs fromnet.exe, an unfamiliar tool, or across many hosts in a short time, suspect BloodHound-style mapping (MITRE ATT&CKT1069.001Local Groups discovery). - Note patterns such as the enumerating process (
Process Name) being in a temp folder or non-standard path, or one account enumerating across many hosts.
Notes for log review
- Some legitimate processes (inventory, management agents) also enumerate. Baseline the known legitimate processes to surface
Administratorsenumeration by others. - Together with a user’s membership enumeration 4798, read it as reconnaissance-phase activity. Catch cross-domain mapping by correlating 4799 across multiple hosts.
Key fields
| Field | Meaning |
|---|---|
Group\Group Name | The group whose members were enumerated (whether Administrators) |
Process Name | The process that performed the enumeration |
Subject\Account Name | The subject that performed the enumeration |
Glossary
- BloodHound / SharpHound — tools that collect and visualize AD privilege relationships to find attack paths. Both attackers and assessors use them.