This detection rule identifies attempts to enumerate local groups on Linux systems, which is a common activity performed by adversaries seeking to gather information about the system's user accounts and their respective permissions. The rule utilizes process creation logs to detect specific commands typically associated with group enumeration, including commands that end with '/groups' or involve reading the '/etc/group' file through commands like '/cat', '/head', '/tail', or '/more'. By tracking these commands, the rule aims to flag potentially suspicious behavior indicative of reconnaissance efforts by attackers. While this type of activity can also arise from legitimate administrative tasks, the rule is designed to identify and alert on such actions to enable quick investigation and mitigation of potential breaches. The rule is geared toward achieving close monitoring of group enumeration actions to enhance overall system security.