This analytic rule detects attempts to create the "ESX Admins" group via the Windows command line tool net.exe (or its variant, net1.exe). This activity is particularly relevant in the context of the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). When attackers leverage this command to recreate the "ESX Admins" group after its unauthorized deletion from Active Directory, they can potentially gain illegitimate access to ESXi hosts. The detection mechanism employs Sysmon Event ID 1, Windows Event Log Security 4688, and data from CrowdStrike to monitor process activities related to the targeted command. A detailed search query is provided to capture relevant process executions, including information on the user, destination, and various process attributes to enhance context during investigations.