Detectionlowtest

Suspicious Get Local Groups Information - PowerShell

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Dec 12Updated Fri Aug 22fa6a5a45-3ee2-4529-aa14-ee5edc9e29cbwindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection_localgroup:
        ScriptBlockText|contains:
            - 'get-localgroup '
            - 'get-localgroupmember '
    selection_wmi_module:
        ScriptBlockText|contains:
            - 'get-wmiobject '
            - 'gwmi '
            - 'get-ciminstance '
            - 'gcim '
    selection_wmi_class:
        ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser
    condition: selection_localgroup or all of selection_wmi_*