Suspicious Get Local Groups Information
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Sigma rule (View on GitHub)
1title: Suspicious Get Local Groups Information
2id: cef24b90-dddc-4ae1-a09a-8764872f69fc
3related:
4 - id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
5 type: similar
6status: test
7description: |
8 Detects the use of PowerShell modules and cmdlets to gather local group information.
9 Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
10references:
11 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
12author: frack113
13date: 2021-12-12
14modified: 2025-08-22
15tags:
16 - attack.discovery
17 - attack.t1069.001
18logsource:
19 product: windows
20 category: ps_module
21 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23 selection_localgroup:
24 - Payload|contains:
25 - 'get-localgroup '
26 - 'get-localgroupmember '
27 - ContextInfo|contains:
28 - 'get-localgroup '
29 - 'get-localgroupmember '
30 selection_wmi_module:
31 - Payload|contains:
32 - 'get-wmiobject '
33 - 'gwmi '
34 - 'get-ciminstance '
35 - 'gcim '
36 - ContextInfo|contains|all:
37 - 'get-wmiobject '
38 - 'gwmi '
39 - 'get-ciminstance '
40 - 'gcim '
41 selection_wmi_class:
42 - Payload|contains: 'win32_group'
43 - ContextInfo|contains: 'win32_group'
44 condition: selection_localgroup or all of selection_wmi_*
45falsepositives:
46 - Administrator script
47level: low
References
Related rules
- Suspicious Get Local Groups Information - PowerShell
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- Local Groups Discovery - Linux