This detection rule focuses on identifying activities related to the discovery of local permission groups within a Windows environment. Adversaries looking to gain insights into the local groups and associated permissions might run commands such as 'Get-LocalGroup' or 'Get-LocalGroupMember' to enumerate the users and groups with elevated privileges. The detection logic utilizes Splunk queries to monitor Sysmon events, specifically targeting Event Code 1, which corresponds to process creation. The rule captures the usage of commands that are likely utilized in local group discovery attempts, and then logs pertinent details such as the time of the event, host, user, and the involved processes. By doing so, the rule enables security teams to identify potential reconnaissance efforts by adversaries trying to assess privilege levels in the target environment.