Detectionlowtest

Suspicious Get Local Groups Information - PowerShell

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Dec 12Updated Fri Aug 22fa6a5a45-3ee2-4529-aa14-ee5edc9e29cbwindows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic3 selectors
detection:
    selection_localgroup:
        ScriptBlockText|contains:
            - 'get-localgroup '
            - 'get-localgroupmember '
    selection_wmi_module:
        ScriptBlockText|contains:
            - 'get-wmiobject '
            - 'gwmi '
            - 'get-ciminstance '
            - 'gcim '
    selection_wmi_class:
        ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser
    condition: selection_localgroup or all of selection_wmi_*
False Positives

Inventory scripts or admin tasks