This detection rule focuses on identifying potential local account discovery activities performed on Windows systems by leveraging various operating system utilities. The rule watches for process creation events from known commands that can enumerate user accounts, including 'whoami.exe', 'quser.exe', 'qwinsta.exe', and 'net.exe'. Furthermore, it includes conditions for filtering out common legitimate commands that could otherwise trigger false positives. The detection logic is built around monitoring for key indicators involving command line usage and specific executable processes that are associated with account enumeration. By applying these criteria, the rule effectively helps in spotting potentially unauthorized attempts to gain visibility over account details on Windows systems, which can be an early sign of malicious activity or reconnaissance by attackers. Its low severity level indicates that while this behavior could suggest unauthorized enumeration, it may also be the result of legitimate administrative actions.