detection.wiki

Detection rules › Splunk

Enumerate Users Local Group Using Telegram

Status
production
Severity
medium
Group by
CallerProcessName, LogonId, SubjectDomainName, computer_name, process_id, signature_id, user, user_sid
Author
Teoderick Contreras, Splunk
Source
github.com/splunk/security_content

The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1087 Account Discovery

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4798A user's local group membership was enumerated.

Rule body splunk

name: Enumerate Users Local Group Using Telegram
id: fcd74532-ae54-11eb-a5ab-acde48001122
version: 13
creation_date: '2021-05-07'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.
data_source:
    - Windows Event Log Security 4798
search: '`wineventlog_security` EventCode=4798  CallerProcessName = "*\\telegram.exe" | stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode CallerProcessName  ProcessID SubjectUserSid SubjectDomainName  SubjectLogonId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.
known_false_positives: No false positives have been identified at this time.
references:
    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: The Telegram application has been identified enumerating local groups on $dest$ by $user$.
    entity:
        field: user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 50
          message: The Telegram application has been identified enumerating local groups on $dest$ by $user$.
analytic_story:
    - XMRig
    - Compromised Windows Host
    - Water Gamayun
asset_type: Endpoint
mitre_attack_id:
    - T1087
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/windows-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: search

`wineventlog_security` EventCode=4798  CallerProcessName = "*\\telegram.exe"

Stage 2: stats

| stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode CallerProcessName  ProcessID SubjectUserSid SubjectDomainName  SubjectLogonId

Stage 3: rename

| rename Computer as dest

Stage 4: search

| `security_content_ctime(firstTime)`

Stage 5: search

| `security_content_ctime(lastTime)`

Stage 6: search

| `enumerate_users_local_group_using_telegram_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CallerProcessNameeq
  • "*\\telegram.exe"
EventCodeeq
  • 4798