This rule is designed to detect activities related to the addition of nonprivileged users to local or domain privileged groups, and the creation of user accounts. It leverages data from EDR logs to identify potentially malicious behavior associated with user account management that may indicate credential manipulation by threat actors. The logic invoked checks for the execution of 'net.exe' or 'net1.exe' processes with arguments indicating the addition of users or groups involving privileged accounts. A pattern search is included to spot common command arguments linked to these actions. This detection is relevant to several known threat groups and malware families, thereby enhancing the security posture against persistent account manipulation attacks. The detection focuses on high-severity attack techniques such as user account manipulation and unauthorized user creation in networks, aiming to flag intrusive modifications to user permissions that could jeopardize organizational security.