Detectionlowtest
Suspicious Get Local Groups Information
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Detection Logic
Detection Logic3 selectors
detection:
selection_localgroup:
- Payload|contains:
- 'get-localgroup '
- 'get-localgroupmember '
- ContextInfo|contains:
- 'get-localgroup '
- 'get-localgroupmember '
selection_wmi_module:
- Payload|contains:
- 'get-wmiobject '
- 'gwmi '
- 'get-ciminstance '
- 'gcim '
- ContextInfo|contains|all:
- 'get-wmiobject '
- 'gwmi '
- 'get-ciminstance '
- 'gcim '
selection_wmi_class:
- Payload|contains: 'win32_group'
- ContextInfo|contains: 'win32_group'
condition: selection_localgroup or all of selection_wmi_*False Positives
Administrator script
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
cef24b90-dddc-4ae1-a09a-8764872f69fc
Status
test
Level
low
Type
Detection
Created
Sun Dec 12
Modified
Fri Aug 22
Author
Path
rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
Raw Tags
attack.discoveryattack.t1069.001