Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
id: c8a180d6-47a3-4345-a609-53f9c3d834fc
related:
- id: cef24b90-dddc-4ae1-a09a-8764872f69fc
type: similar
status: test
description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-10
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: windows
detection:
# Covers group and localgroup flags
selection_cmdlet:
CommandLine|contains: 'Get-LocalGroupMember '
selection_group:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
imProcessCreate
| where TargetProcessCommandLine contains "Get-LocalGroupMember " and (TargetProcessCommandLine contains "domain admins" or TargetProcessCommandLine contains " administrator" or TargetProcessCommandLine contains " administrateur" or TargetProcessCommandLine contains "enterprise admins" or TargetProcessCommandLine contains "Exchange Trusted Subsystem" or TargetProcessCommandLine contains "Remote Desktop Users" or TargetProcessCommandLine contains "Utilisateurs du Bureau à distance" or TargetProcessCommandLine contains "Usuarios de escritorio remoto")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |