Suspicious Get Local Groups Information - PowerShell
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Sigma rule (View on GitHub)
1title: Suspicious Get Local Groups Information - PowerShell
2id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
3related:
4 - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
5 type: similar
6status: test
7description: |
8 Detects the use of PowerShell modules and cmdlets to gather local group information.
9 Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
10references:
11 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
12author: frack113
13date: 2021-12-12
14modified: 2025-08-22
15tags:
16 - attack.discovery
17 - attack.t1069.001
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_localgroup:
24 ScriptBlockText|contains:
25 - 'get-localgroup '
26 - 'get-localgroupmember '
27 selection_wmi_module:
28 ScriptBlockText|contains:
29 - 'get-wmiobject '
30 - 'gwmi '
31 - 'get-ciminstance '
32 - 'gcim '
33 selection_wmi_class:
34 ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser
35 condition: selection_localgroup or all of selection_wmi_*
36falsepositives:
37 - Inventory scripts or admin tasks
38level: low
References
Related rules
- Suspicious Get Local Groups Information
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- Local Groups Discovery - Linux