Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

 1title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
 2id: c8a180d6-47a3-4345-a609-53f9c3d834fc
 3related:
 4    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
 5      type: similar
 6status: test
 7description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
 8references:
 9    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-10-10
12tags:
13    - attack.discovery
14    - attack.t1087.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    # Covers group and localgroup flags
20    selection_cmdlet:
21        CommandLine|contains: 'Get-LocalGroupMember '
22    selection_group:
23        CommandLine|contains:
24            # Add more groups for other languages
25            - 'domain admins'
26            - ' administrator' # Typo without an 'S' so we catch both
27            - ' administrateur' # Typo without an 'S' so we catch both
28            - 'enterprise admins'
29            - 'Exchange Trusted Subsystem'
30            - 'Remote Desktop Users'
31            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
32            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
33    condition: all of selection_*
34fields:
35    - CommandLine
36    - ParentCommandLine
37falsepositives:
38    - Administrative activity
39level: medium