This detection rule identifies potentially suspicious reconnaissance activities occurring on Windows systems, specifically focusing on the use of the PowerShell cmdlet Get-LocalGroupMember. The rule targets command line operations that involve this cmdlet, which is typically employed to enumerate the members of a local group, often by attackers to gather information about user accounts and privileges for further exploitation. The rule incorporates specific command line conditions, monitoring for the presence of known administrative groups or roles such as 'domain admins', 'administrators', and other related terms that suggest an attempt to harvest sensitive account information. If a process command line includes the Get-LocalGroupMember cmdlet in conjunction with any of these group names, the rule triggers an alert. This activity is commonly associated with reconnaissance steps in the initial stages of an attack, especially in environments where privilege escalation may lead to further compromise.