Suspicious Get Local Groups Information - PowerShell
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Sigma rule (View on GitHub)
1title: Suspicious Get Local Groups Information - PowerShell
2id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
3status: test
4description: |
5 Adversaries may attempt to find local system groups and permission settings.
6 The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
7 Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
10author: frack113
11date: 2021-12-12
12modified: 2022-11-25
13tags:
14 - attack.discovery
15 - attack.t1069.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 test_3:
22 ScriptBlockText|contains:
23 - 'get-localgroup'
24 - 'Get-LocalGroupMember'
25 test_6:
26 ScriptBlockText|contains|all:
27 - 'Get-WMIObject'
28 - 'Win32_Group'
29 condition: 1 of test_*
30falsepositives:
31 - Unknown
32level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Local Groups Discovery - Linux