Detectionmediumtest
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Oct 10c8a180d6-47a3-4345-a609-53f9c3d834fcwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
# Covers group and localgroup flags
selection_cmdlet:
CommandLine|contains: 'Get-LocalGroupMember '
selection_group:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*False Positives
Administrative activity
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
c8a180d6-47a3-4345-a609-53f9c3d834fc
Status
test
Level
medium
Type
Detection
Created
Mon Oct 10
Path
rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml
Raw Tags
attack.discoveryattack.t1087.001