/
posh_pm_susp_local_group_reco.yml
38 lines (38 loc) · 1.34 KB
/
posh_pm_susp_local_group_reco.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
title: Suspicious Get Local Groups Information
id: cef24b90-dddc-4ae1-a09a-8764872f69fc
status: test
description: |
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021/12/12
modified: 2022/12/25
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
test_3:
- Payload|contains:
- 'get-localgroup'
- 'Get-LocalGroupMember'
- ContextInfo|contains:
- 'get-localgroup'
- 'Get-LocalGroupMember'
test_6:
- Payload|contains|all:
- 'Get-WMIObject'
- 'Win32_Group'
- ContextInfo|contains|all:
- 'Get-WMIObject'
- 'Win32_Group'
condition: 1 of test_*
falsepositives:
- Administrator script
level: low