The detection rule for domain group discovery using `net.exe` is designed to identify reconnaissance activities typically employed by attackers to enumerate domain groups within an Active Directory environment. The rule leverages various telemetry sources, including Sysmon EventID 1 and Windows Event Log Security 4688, to analyze process execution behaviors linked to the command line argument `group /domain`. By specifically monitoring for instances where `process_net` is invoked and scrutinizing command-line parameters, this analytic aims to uncover potential malicious attempts at gathering information about the domain structure. Such behavior presents critical risks as attackers may utilize it for privilege escalation or lateral movement post-compromise. Unfortunately, this rule has been deprecated and replaced by a more generic analytic, but awareness of its functionality aids in understanding common attack patterns in Windows environments.