Suspicious Get Local Groups Information

 1title: Suspicious Get Local Groups Information
 2id: cef24b90-dddc-4ae1-a09a-8764872f69fc
 3related:
 4    - id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
 5      type: similar
 6status: test
 7description: |
 8    Detects the use of PowerShell modules and cmdlets to gather local group information.
 9    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
12author: frack113
13date: 2021-12-12
14modified: 2025-08-22
15tags:
16    - attack.discovery
17    - attack.t1069.001
18logsource:
19    product: windows
20    category: ps_module
21    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23    selection_localgroup:
24        - Payload|contains:
25              - 'get-localgroup '
26              - 'get-localgroupmember '
27        - ContextInfo|contains:
28              - 'get-localgroup '
29              - 'get-localgroupmember '
30    selection_wmi_module:
31        - Payload|contains:
32              - 'get-wmiobject '
33              - 'gwmi '
34              - 'get-ciminstance '
35              - 'gcim '
36        - ContextInfo|contains|all:
37              - 'get-wmiobject '
38              - 'gwmi '
39              - 'get-ciminstance '
40              - 'gcim '
41    selection_wmi_class:
42        - Payload|contains: 'win32_group'
43        - ContextInfo|contains: 'win32_group'
44    condition: selection_localgroup or all of selection_wmi_*
45falsepositives:
46    - Administrator script
47level: low