LoFP LoFP / inventory scripts or admin tasks

Techniques

Sample rules

Suspicious Get Local Groups Information - PowerShell

Description

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

Detection logic

condition: selection_localgroup or all of selection_wmi_*
selection_localgroup:
  ScriptBlockText|contains:
  - 'get-localgroup '
  - 'get-localgroupmember '
selection_wmi_class:
  ScriptBlockText|contains: win32_group
selection_wmi_module:
  ScriptBlockText|contains:
  - 'get-wmiobject '
  - 'gwmi '
  - 'get-ciminstance '
  - 'gcim '