This detection rule is designed to identify reconnaissance activities targeting privileged users or groups within an Active Directory (AD) environment. The rule utilizes Windows Event ID 4661, which logs attempts to access an object, specifically looking for actions targeting user and group objects within the Security Account Manager (SAM). The configuration requires enabling Object Access for SAM on Domain Controllers to capture relevant data. The rule filters for event entries that include specific Object Types ('SAM_USER' and 'SAM_GROUP') and checks for object names associated with well-known privileged user accounts (identified by SIDs ending with certain values) or containing the term 'admin'. Additionally, it excludes any events generated by service accounts (identified by usernames that end with '$'). High alert levels are assigned, particularly if the source account is suspiciously linked to non-admin activities. This detection aims to flag potential reconnaissance efforts performed by adversaries seeking to enumerate privileged accounts within the environment, thereby helping security teams mitigate elevated privilege threats.