The detection rule aims to identify instances where the SYSTEM account (S-1-5-18) modifies an Active Directory (AD) group. Such modifications can indicate a potential compromise of the domain controller by an attacker who has gained SYSTEM privileges. This behavior is often linked to various attack techniques, including privilege escalation and account manipulation. The rule focuses on the security event with code 4728, which logs when a user is added to a group, specifically watching for the SYSTEM account as the actor. Additionally, precautionary measures against false positives are included, as legitimate administrative actions may trigger the rule unintentionally. A comprehensive investigation guide is provided for incident response, outlining the steps to confirm the authenticity of the action and to remediate potential breaches effectively. This encompasses recommending the isolation of affected systems, revoking unauthorized group memberships, and applying necessary security patches to rectify vulnerabilities that could have been exploited.