inventory scripts or admin tasks

t1069
t1069.001
windows
sigma

Techniques

t1069
t1069.001

Sample rules

Suspicious Get Local Groups Information - PowerShell

source: sigma
technicques:
- t1069
- t1069.001

Description

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

Detection logic

condition: selection_localgroup or all of selection_wmi_*
selection_localgroup:
  ScriptBlockText|contains:
  - 'get-localgroup '
  - 'get-localgroupmember '
selection_wmi_class:
  ScriptBlockText|contains: win32_group
selection_wmi_module:
  ScriptBlockText|contains:
  - 'get-wmiobject '
  - 'gwmi '
  - 'get-ciminstance '
  - 'gcim '