This anomaly rule detects the activation of the built-in Windows Guest account via Net commands, which is a common technique for persistence or privilege escalation when attackers attempt to establish covert access. By default, the Guest account is heavily restricted; enabling it with Net (for example, net user guest /active:yes) can indicate an attacker or a compromised insider attempting to establish ongoing access. The rule leverages endpoint telemetry from EDR agents to identify suspicious process creation events that imply guest activation, focusing on command-line evidence and process lineage across Windows endpoints. The search queries the Endpoint Process data model (via Sysmon ProcessCreate, Windows Security 4688 events, and CrowdStrike ProcessRollup telemetry) and looks for processes with textual indicators such as “guest” and “user” and command lines containing “active:yes”. The detection aggregates fields like process name, vendor product, user_id, hash, parent process, and command-line context to characterize the activity. It maps to MITRE ATT&CK technique T1078.001 (Valid Accounts: Guest). The accompanying risk-based alert (RBA) elevates cases where the destination host shows this activity, with the threat object focusing on the parent process name, and a default risk score of 50 assigned to the destination. Known false positives arise when IT or support teams temporarily enable the Guest account for maintenance; filtering these authorized activations is recommended to reduce noise. The rule offers drill-down options to inspect results by user/destination and to review related risk events over the last seven days, enabling rapid investigation and contextualization of the event within broader risk signals.