This detection rule is designed to identify suspicious PowerShell commands aimed at retrieving information about local user groups and their memberships on Windows systems. Given that adversaries often seek knowledge about local permissions and group memberships, which may reveal users with elevated privileges like administrators, this rule focuses on capturing potentially malicious or unauthorized calls to relevant PowerShell cmdlets. The rule specifies conditions based on the content of script block logging, requiring that appropriate logging is enabled for the system to ensure effectiveness. It analyzes the script block text for specific keywords associated with group information retrieval, such as 'Get-LocalGroup', 'Get-LocalGroupMember', and WMI calls to 'Win32_Group'. If any of these keywords are present, the rule triggers, indicating that potentially malicious activity could be in progress. The overall goal is to detect actions that could precede further lateral movement or privilege escalation attempts by attackers.