Event 4799: A security-enabled local group membership was enumerated.
A security-enabled local group membership was enumerated.
Technical Details
Event ID: 4799
Windows Security- Account Management
Event Description
A security-enabled local group membership was enumerated.
Key Log Fields
Key log field information is not yet available for this event. Refer to official documentation for field details.
MITRE ATT&CK® Mapping (2)
Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.