detection.wiki

Detection rules › Sigma

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

Status
test
Severity
medium
Log source
product windows, category process_creation
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1087.001 Account Discovery: Local Account

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Rule body yaml

title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
id: c8a180d6-47a3-4345-a609-53f9c3d834fc
related:
    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
      type: similar
status: test
description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-10
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: windows
detection:
    # Covers group and localgroup flags
    selection_cmdlet:
        CommandLine|contains: 'Get-LocalGroupMember '
    selection_group:
        CommandLine|contains:
            # Add more groups for other languages
            - 'domain admins'
            - ' administrator' # Typo without an 'S' so we catch both
            - ' administrateur' # Typo without an 'S' so we catch both
            - 'enterprise admins'
            - 'Exchange Trusted Subsystem'
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: medium

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_cmdlet

selection_cmdlet:
    CommandLine|contains: 'Get-LocalGroupMember '

Stage 2: selection_group

selection_group:
    CommandLine|contains:
        - 'domain admins'
        - ' administrator'
        - ' administrateur'
        - 'enterprise admins'
        - 'Exchange Trusted Subsystem'
        - 'Remote Desktop Users'
        - 'Utilisateurs du Bureau à distance'
        - 'Usuarios de escritorio remoto'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • administrateur corpus 3 (sigma 3)
  • administrator corpus 2 (sigma 2)
  • Exchange Trusted Subsystem corpus 2 (sigma 2)
  • Get-LocalGroupMember
  • Remote Desktop Users corpus 3 (sigma 3)
  • Usuarios de escritorio remoto corpus 3 (sigma 3)
  • Utilisateurs du Bureau à distance corpus 3 (sigma 3)
  • domain admins corpus 3 (sigma 2, splunk 1)
  • enterprise admins corpus 3 (sigma 2, splunk 1)