detection.wiki

Detection rules › Sigma

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1087.001 Account Discovery: Local Account

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: all of selection_cmdlet

CommandLine|contains: 'Get-LocalGroupMember '

Stage 2: all of selection_group

or:
CommandLine|contains: ' administrateur'
CommandLine|contains: ' administrator'
CommandLine|contains: 'Exchange Trusted Subsystem'
CommandLine|contains: 'Remote Desktop Users'
CommandLine|contains: 'Usuarios de escritorio remoto'
CommandLine|contains: 'Utilisateurs du Bureau à distance'
CommandLine|contains: 'domain admins'
CommandLine|contains: 'enterprise admins'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • administrateur corpus 3 (sigma 3)
  • administrator corpus 2 (sigma 2)
  • Exchange Trusted Subsystem corpus 2 (sigma 2)
  • Get-LocalGroupMember
  • Remote Desktop Users corpus 3 (sigma 3)
  • Usuarios de escritorio remoto corpus 3 (sigma 3)
  • Utilisateurs du Bureau à distance corpus 3 (sigma 3)
  • domain admins corpus 2 (sigma 2)
  • enterprise admins corpus 2 (sigma 2)