This detection rule identifies the creation of a local administrator account on Windows systems using the \"net.exe\" command. By analyzing EDR (Endpoint Detection and Response) data, the rule focuses on processes where \"net.exe\" is invoked with the parameter \"/add\" while targeting various keywords associated with administrator accounts in multiple languages. Such behavior is commonly tied to attempts by attackers to establish persistent access or escalate privileges on compromised systems. The detection captures instances of this activity through specific logs such as Sysmon EventID 1 and Windows Event Log Security 4688, indicating potential unauthorized activities. Threat analysts are urged to review the user context, process details, and associated artifacts upon detection to ascertain the legitimacy of the actions taken.