Suspicious Get Local Groups Information - PowerShell

calendar Oct 1, 2025 · attack.discovery attack.t1069.001  ·
Share on: linkedin copy

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

Sigma rule (View on GitHub)

 1title: Suspicious Get Local Groups Information - PowerShell
 2id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
 3related:
 4    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
 5      type: similar
 6status: test
 7description: |
 8    Detects the use of PowerShell modules and cmdlets to gather local group information.
 9    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
12author: frack113
13date: 2021-12-12
14modified: 2025-08-22
15tags:
16    - attack.discovery
17    - attack.t1069.001
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection_localgroup:
24        ScriptBlockText|contains:
25            - 'get-localgroup '
26            - 'get-localgroupmember '
27    selection_wmi_module:
28        ScriptBlockText|contains:
29            - 'get-wmiobject '
30            - 'gwmi '
31            - 'get-ciminstance '
32            - 'gcim '
33    selection_wmi_class:
34        ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser
35    condition: selection_localgroup or all of selection_wmi_*
36falsepositives:
37    - Inventory scripts or admin tasks
38level: low

References

Related rules

to-top