Suspicious Get Local Groups Information - PowerShell
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Sigma rule (View on GitHub)
1title: Suspicious Get Local Groups Information - PowerShell
2id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
3status: test
4description: |
5 Adversaries may attempt to find local system groups and permission settings.
6 The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
7 Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
10author: frack113
11date: 2021/12/12
12modified: 2022/11/25
13tags:
14 - attack.discovery
15 - attack.t1069.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 test_3:
22 ScriptBlockText|contains:
23 - 'get-localgroup'
24 - 'Get-LocalGroupMember'
25 test_6:
26 ScriptBlockText|contains|all:
27 - 'Get-WMIObject'
28 - 'Win32_Group'
29 condition: 1 of test_*
30falsepositives:
31 - Unknown
32level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious Get Information for SMB Share - PowerShell Module
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- Suspicious Get Information for SMB Share
- Local Groups Discovery - Linux
- Local Groups Discovery - MacOs