Suspicious Get Local Groups Information

calendar Aug 12, 2024 · attack.discovery attack.t1069.001  ·
Share on: linkedin copy

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Sigma rule (View on GitHub)

 1title: Suspicious Get Local Groups Information
 2id: cef24b90-dddc-4ae1-a09a-8764872f69fc
 3status: test
 4description: |
 5    Adversaries may attempt to find local system groups and permission settings.
 6    The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
 7    Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
10author: frack113
11date: 2021-12-12
12modified: 2022-12-25
13tags:
14    - attack.discovery
15    - attack.t1069.001
16logsource:
17    product: windows
18    category: ps_module
19    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
20detection:
21    test_3:
22        - Payload|contains:
23              - 'get-localgroup'
24              - 'Get-LocalGroupMember'
25        - ContextInfo|contains:
26              - 'get-localgroup'
27              - 'Get-LocalGroupMember'
28    test_6:
29        - Payload|contains|all:
30              - 'Get-WMIObject'
31              - 'Win32_Group'
32        - ContextInfo|contains|all:
33              - 'Get-WMIObject'
34              - 'Win32_Group'
35    condition: 1 of test_*
36falsepositives:
37    - Administrator script
38level: low

References

Related rules

to-top