This detection rule aims to identify reconnaissance activities within a Windows environment, specifically targeting users who invoke the commands "net user administrator /domain" and "net group domain admins /domain". These commands are often utilized by attackers to gather important information about user accounts and group memberships in a domain, which is an early phase of lateral movement in the attack lifecycle. The rule is configured to trigger on Windows Security Event ID 4661, which signifies an object access event that, in this case, involves attempts to access sensitive groups or users within the Security Account Manager (SAM). It examines the access mask and object types to ensure that only relevant access requests are flagged, focusing on object names that typically represent domain administrators and user accounts.