Suspicious Get Local Groups Information

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

Sigma rule (View on GitHub)

 1title: Suspicious Get Local Groups Information
 2id: cef24b90-dddc-4ae1-a09a-8764872f69fc
 3related:
 4    - id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
 5      type: similar
 6status: test
 7description: |
 8    Detects the use of PowerShell modules and cmdlets to gather local group information.
 9    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
12author: frack113
13date: 2021-12-12
14modified: 2025-08-22
15tags:
16    - attack.discovery
17    - attack.t1069.001
18logsource:
19    product: windows
20    category: ps_module
21    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23    selection_localgroup:
24        - Payload|contains:
25              - 'get-localgroup '
26              - 'get-localgroupmember '
27        - ContextInfo|contains:
28              - 'get-localgroup '
29              - 'get-localgroupmember '
30    selection_wmi_module:
31        - Payload|contains:
32              - 'get-wmiobject '
33              - 'gwmi '
34              - 'get-ciminstance '
35              - 'gcim '
36        - ContextInfo|contains|all:
37              - 'get-wmiobject '
38              - 'gwmi '
39              - 'get-ciminstance '
40              - 'gcim '
41    selection_wmi_class:
42        - Payload|contains: 'win32_group'
43        - ContextInfo|contains: 'win32_group'
44    condition: selection_localgroup or all of selection_wmi_*
45falsepositives:
46    - Administrator script
47level: low

References

Related rules

to-top