This detection rule identifies instances where a new user is added to the local administrator group on Windows systems. Such actions could either represent legitimate administrative behavior or be indicative of privilege escalation attempts by unauthorized users. The rule is triggered by monitoring for Windows Event ID 4732, which logs when a member is added to a local group. Specifically, it looks for events that feature usernames starting with 'Administr' or the well-known local administrator security identifier (SID) 'S-1-5-32-544'. Additionally, the rule applies a filter to exclude computer accounts, which are identified by usernames ending in a dollar sign ('$'), to reduce false positives. As the local administrator group has elevated privileges, it is crucial to monitor membership changes for security integrity.