Techniques
Sample rules
Suspicious Get Local Groups Information - PowerShell
- source: sigma
- technicques:
- t1069
- t1069.001
Description
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Detection logic
condition: selection_localgroup or all of selection_wmi_*
selection_localgroup:
ScriptBlockText|contains:
- 'get-localgroup '
- 'get-localgroupmember '
selection_wmi_class:
ScriptBlockText|contains: win32_group
selection_wmi_module:
ScriptBlockText|contains:
- 'get-wmiobject '
- 'gwmi '
- 'get-ciminstance '
- 'gcim '