detection.wiki

Detection rules › Sigma

Suspicious Get Local Groups Information

Status
test
Severity
low
Log source
product windows, category ps_module
Author
frack113
Source
github.com/SigmaHQ/sigma

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1069.001 Permission Groups Discovery: Local Groups

Event coverage

ProviderEventTitle
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.

Rule body yaml

title: Suspicious Get Local Groups Information
id: cef24b90-dddc-4ae1-a09a-8764872f69fc
related:
    - id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
      type: similar
status: test
description: |
    Detects the use of PowerShell modules and cmdlets to gather local group information.
    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2025-08-22
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_localgroup:
        - Payload|contains:
              - 'get-localgroup '
              - 'get-localgroupmember '
        - ContextInfo|contains:
              - 'get-localgroup '
              - 'get-localgroupmember '
    selection_wmi_module:
        - Payload|contains:
              - 'get-wmiobject '
              - 'gwmi '
              - 'get-ciminstance '
              - 'gcim '
        - ContextInfo|contains|all:
              - 'get-wmiobject '
              - 'gwmi '
              - 'get-ciminstance '
              - 'gcim '
    selection_wmi_class:
        - Payload|contains: 'win32_group'
        - ContextInfo|contains: 'win32_group'
    condition: selection_localgroup or all of selection_wmi_*
falsepositives:
    - Administrator script
level: low

Stages and Predicates

Stage 0: condition

selection_localgroup or all of selection_wmi_*

Stage 1: selection_localgroup

selection_localgroup:
    - Payload|contains:
          - 'get-localgroup '
          - 'get-localgroupmember '
    - ContextInfo|contains:
          - 'get-localgroup '
          - 'get-localgroupmember '

Stage 2: selection_wmi_module

selection_wmi_module:
    - Payload|contains:
          - 'get-wmiobject '
          - 'gwmi '
          - 'get-ciminstance '
          - 'gcim '
    - ContextInfo|contains|all:
          - 'get-wmiobject '
          - 'gwmi '
          - 'get-ciminstance '
          - 'gcim '

Stage 3: selection_wmi_class

selection_wmi_class:
    - Payload|contains: 'win32_group'
    - ContextInfo|contains: 'win32_group'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ContextInfomatch
  • gcim
  • get-ciminstance
  • get-localgroup
  • get-localgroupmember
  • get-wmiobject
  • gwmi
  • win32_group
Payloadmatch
  • gcim
  • get-ciminstance
  • get-localgroup
  • get-localgroupmember
  • get-wmiobject
  • gwmi
  • win32_group