This detection rule identifies the creation of local user accounts on Windows systems via the 'net.exe' command with the specific parameter that sets the account to never expire. The rule leverages the 'process_creation' log source to monitor for the command-line execution of 'net.exe' (or 'net1.exe') with the inclusion of the terms 'user', 'add', and 'expires:never'. The presence of these indicators in the command line points to a potential security risk, particularly as accounts that do not expire can lead to unauthorized access if misused or if sensitive accounts are inadvertently left active indefinitely. Given the critical nature of user account management, this rule is designed with a high priority to alert security personnel to possible malicious user creation activities, facilitating quicker investigation and response. The rule has a low false positive rate, indicating that its alerts are likely tied to actual user creation incidents rather than legitimate administrative activity.