The rule "Get WMIObject Group Discovery" is designed to detect the usage of the Get-WMIObject Win32_Group command executed via PowerShell or CMD to enumerate local groups on a Windows endpoint. This analytic focuses on telemetry provided by Endpoint Detection and Response (EDR) solutions, specifically monitoring process execution and command-line parameters to identify potentially malicious activities aimed at privilege escalation or lateral movement within a network. By leveraging relevant data sources, including Sysmon Event ID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2, this analytic helps to identify indicators of suspicious activity inherent in the execution of this command, which may indicate an attacker's efforts to gather intelligence on group memberships that could further facilitate unauthorized access to sensitive resources. The search utilizes Splunk's data model capabilities to efficiently correlate and summarize findings, providing a robust implementation framework while emphasizing the need for appropriate tuning to mitigate false positives.