Enumeration of Privileged Local Groups Membershipedit

Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 43

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Discovery

Version: 1

Added (Elastic Stack release): 8.0.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Config

This will require Windows security event 4799 by enabling audit success for the windows Account Management category and
the Security Group Management subcategory.

Rule queryedit

iam where event.action == "user-member-enumerated" and /* noisy and
usual legit processes excluded */ not
"?:\\Windows\\System32\\dfsrs.exe", "?:\\Program
Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
/* privileged local groups */
(group.name:("admin*","RemoteDesktopUsers") or

Threat mappingedit