This detection rule identifies login events for standard users who are part of high-privileged groups, such as the Administrator group, based on Windows Security Auditing. Specifically, it leverages the Event ID 300, which corresponds to logon events processed by the Local Security Authority (LSA). The rule employs a selection criterion that targets user security identifiers (SIDs) corresponding to standard users within the domain (those beginning with 'S-1-5-21-') and checks if their SIDs contain any of the high-privileged identifiers, such as the Administrator SID (S-1-5-32-544) and the well-known SIDs for accounts like the built-in Administrator account (SIDs '-500', '-518', and '-519'). The rule enables the detection of potential misuse of elevated privileges by analyzing the events logged in the Microsoft-Windows-LSA/Operational log. False positives may occur for standard domain users who are legitimately part of the administrator group, and these can be filtered out using the "TargetUserName" field.