This detection rule identifies the unauthorized addition of users to the 'Remote Desktop Users' group on Windows systems. The rule monitors command execution for specific commands that could indicate potential lateral movement or escalation of privileges by attackers. The primary commands being detected are those related to modifying group memberships using 'localgroup' or 'Add-LocalGroupMember'. If any of these commands include keywords that reference the 'Remote Desktop Users' group, this is flagged as a potential security incident. It is essential to monitor this activity because attackers often use these group memberships to gain remote access to systems, allowing them to execute further attacks or exfiltrate data. The rule applies to Windows systems and classifies this type of event as high severity due to its association with privilege escalation and persistence tactics.