This analytic rule has been deprecated and is designed to detect the creation of local administrator accounts using the 'net.exe' command on Windows systems. It works by analyzing data from Endpoint Detection and Response (EDR) solutions, specifically looking for instances where the process named 'net.exe' or 'net1.exe' is run with the '/add' parameter. Additionally, it scans for keywords associated with the creation of administrator accounts in the command line. Such actions may signal an attempt by an attacker to establish persistent access or escalate privileges on a target system. If detected, reviewing the process details, user context, and related artifacts is crucial for assessing the legitimacy of the activity, as successful exploitation may lead to unauthorized access and potential data breaches.