Enumeration of Privileged Local Groups Membership

Attackers often perform reconnaissance after compromising a system to plan their next steps. This includes enumerating network resources, users, connections, files, and installed security software. This activity allows attackers to identify high-value targets for lateral movement and credential theft. This detection identifies processes that are unusually enumerating the membership of privileged local groups on Windows systems, such as Administrators or Remote Desktop Users. It is based on Elastic detection rule “Enumeration of Privileged Local Groups Membership” (rule_id: “291a0de9-937a-4189-94c0-3e847c8b13e4”). The rule excludes common legitimate utilities to reduce false positives. The presence of such enumeration activity, especially by unknown or untrusted processes, should be investigated immediately to determine the scope and intent of the intrusion.

Attack Chain

1. An attacker compromises a Windows host through an initial access vector like phishing or exploitation.
2. The attacker executes a reconnaissance command or script to gather information about the system.
3. The command attempts to enumerate the members of privileged local groups, such as Administrators or Remote Desktop Users, using built-in Windows utilities or custom tools.
4. Windows Security Event Logs record the event of user-member enumeration with Event ID 4798 or similar events.
5. The attacker parses the output of the enumeration command to identify potential targets for credential theft or privilege escalation.
6. The attacker uses the gathered information to move laterally to other systems or escalate privileges on the compromised host.
7. The attacker compromises additional systems and continues to pursue their objectives, such as data exfiltration or ransomware deployment.

Impact

Successful enumeration of privileged local groups allows attackers to identify accounts with elevated privileges on the compromised system. This information is used to target those accounts for credential theft, enabling lateral movement and further compromise of the network. If successful, the attacker gains access to sensitive data, critical systems, or deploys ransomware, causing significant disruption and financial losses.

Recommendation

• Enable Audit Security Group Management to generate the necessary Windows Security Event Logs as described in the Elastic setup guide.
• Deploy the Sigma rule “Suspicious Enumeration of Privileged Local Groups Membership” to detect unusual processes enumerating group memberships based on CallerProcessName and TargetSid.
• Investigate any alerts generated by the Sigma rule, prioritizing those involving unknown or untrusted processes.
• Monitor process execution for command-line arguments and tools commonly used for enumeration, such as net.exe, dsquery, or PowerShell scripts.
• Implement least privilege principles to minimize the number of accounts with membership in privileged local groups.