This detection rule is aimed at identifying adversarial attempts to discover domain-level groups and their corresponding permissions within a network. By leveraging specific Windows event logs, the rule detects commands and queries related to Active Directory group membership and local group enumeration on Windows systems, which are vital for adversaries to understand user privileges within a domain. The techniques tracked include the enumeration of groups that can signal potential reconnaissance activities by threat actors such as Mustang Panda, among others. The Splunk logic provided captures relevant event codes, specifically EventCode=4688, which indicates the creation of a process, along with various commands and PowerShell queries that adversaries typically use to enumerate groups in a domain environment. The output is structured to summarize the key metadata of the process involved in this activity, making it easier for security professionals to analyze potential threats.