This detection rule identifies potential reconnaissance activity by tracking the usage of `net.exe` or `net1.exe` with the command-line arguments `user` or `users`, which are commonly employed to enumerate local user accounts on Windows systems. The rule is constructed using data from various sources, including Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2. By observing suspicious process executions and command-line arguments that indicate local account enumeration, incident responders can detect possible attempts by adversaries to gain situational awareness of the network environment or target specific accounts for future attacks. This information is vital since local account enumeration can be a precursor to privilege escalation and lateral movement within a network.