This detection rule identifies instances when a user is added to the local administrators group on Windows systems, utilizing commands like 'Net' and 'Add-LocalGroupMember'. The rule is essential in monitoring unauthorized administrative access, which can be indicative of potential privilege escalation attacks or malicious activity. The detection mechanism focuses on the command line input for process creation events, specifically looking for keywords that indicate modifications to the local group for administrators. If either of the specified command line patterns is matched, an alert is raised, provided the context confirms that the action pertains to the administrators group. This type of behavior may be deemed suspicious and warrant further investigation due to its potential impact on an organization's security posture. The rule is currently in testing status and serves to enhance the security monitoring framework on Windows environments by flagging any abnormal changes in user privileges, particularly within local administrative groups.