Get WMIObject Group Discovery with Script Block Logging

name: Get WMIObject Group Discovery with Script Block Logging
id: 69df7f7c-155d-11ec-a055-acde48001122
version: 10
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText = "*Win32_Group*"
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `get_wmiobject_group_discovery_with_script_block_logging_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: False positives may be present. Tune as needed.
references:
    - https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
    - https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
    - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
    - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
tags:
    analytic_story:
        - Active Directory Discovery
    asset_type: Endpoint
    mitre_attack_id:
        - T1069.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog