A security-enabled local group membership was enumerated (4799) how to monitor with email alert

[bob]

You know that event ID 4799 in Windows Server Event Viewer? It's basically logging when someone pokes around to see who's in a security group on your local machine. Like, a security-enabled local group membership gets enumerated. That means an account or process lists out the members of a group that has security powers. Happens a lot during legit audits or when admins check permissions. But it can flag sneaky stuff too, like if an attacker is scouting for high-privilege users. I see it pop up in the Security log under Event Viewer. The details show the group name, the account that did the querying, and the target domain. Sometimes it includes the results of that enumeration. Full detail wise, it records the subject, which is the security ID of whoever initiated it, plus the security ID of the group being checked. And there's the process name involved, like lsass.exe often. If it's from an external source, it might note that. You can filter for it in Event Viewer by searching the ID. Keeps track of potential privilege escalations or just routine checks.

Now, to monitor this with an email alert, fire up Event Viewer on your server. Go to the Windows Logs, hit Security, right-click and create a custom view. Set it to filter for event ID 4799. That way you see only those hits. To get alerts, attach a task to it. In the custom view, click on the Tasks menu, choose Subscribe, but wait, better yet, use the Action pane. Right-click an event, select Attach Task To This Event. Name your task something simple like GroupEnumAlert. Under triggers, pick On an event, specify the log and ID 4799. For actions, choose Send an email. Yeah, it has a built-in option for that. Fill in your SMTP server details, from and to addresses, and a subject like "Hey, group membership checked on server." Make sure the task runs with enough rights, like under SYSTEM. Test it by triggering a safe enumeration yourself. That'll ping you whenever it happens. Keeps you in the loop without constant watching.

And if you want something smoother, check out the automatic email solution at the end here.

Speaking of keeping your server safe from odd events like that, I've been messing with BackupChain Windows Server Backup lately. It's this solid Windows Server backup tool that handles physical setups and even virtual machines through Hyper-V without a hitch. You get fast incremental backups, easy restores to bare metal, and it dodges those common pitfalls like VSS errors. Plus, the deduping saves tons of space, and scheduling is a breeze for off-hours runs.

Note, the PowerShell email alert code was moved to this post.