Suspicious Get Local Groups Information

Severity: low
Author: frack113
Source: upstream

Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1069.001` Permission Groups Discovery: Local Groups

Event coverage

Provider	Event ID	Title
PowerShell	4103	Payload Context: ContextInfo User Data: UserData.

Stages and Predicates

Stage 1: `selection_localgroup`

or:
ContextInfo|contains: 'get-localgroup '
ContextInfo|contains: 'get-localgroupmember '
Payload|contains: 'get-localgroup '
Payload|contains: 'get-localgroupmember '

Stage 2: `all of selection_wmi_module`

or:
ContextInfo|contains: 'gcim '
ContextInfo|contains: 'get-ciminstance '
ContextInfo|contains: 'get-wmiobject '
ContextInfo|contains: 'gwmi '
Payload|contains: 'gcim '
Payload|contains: 'get-ciminstance '
Payload|contains: 'get-wmiobject '
Payload|contains: 'gwmi '

Stage 3: `all of selection_wmi_class`

or:
ContextInfo|contains: win32_group
Payload|contains: win32_group

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ContextInfo`	match	`gcim` `get-ciminstance` `get-localgroup` `get-localgroupmember` `get-wmiobject` `gwmi` `win32_group`
`Payload`	match	`gcim` `get-ciminstance` `get-localgroup` `get-localgroupmember` `get-wmiobject` `gwmi` `win32_group`