Enumeration of Privileged Local Groups Membershipedit

Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 43

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Discovery

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guideedit

## Config

This will require Windows security event 4799 by enabling audit success for the Windows Account Management category and
the Security Group Management subcategory.

Rule queryedit

iam where event.action == "user-member-enumerated" and

 /* noisy and usual legit processes excluded */
 not winlog.event_data.CallerProcessName:
               "?:\\Program Files\\*.exe",
               "?:\\Program Files (x86)\\*.exe") and
  /* privileged local groups */
 (group.name:("admin*","RemoteDesktopUsers") or