This analytic rule detects the potential abuse of the built-in local Administrator account through credential stuffing attacks on Windows endpoints. Specifically, it identifies attempts to log in using the Administrator account across over 30 different endpoints within a 5-minute period by analyzing Windows Event Logs (Event IDs 4624 and 4625) for successful and failed logon attempts. Credential stuffing can indicate that an attacker is trying to leverage compromised credentials to gain access to multiple systems, posing a substantial risk of privilege escalation and network-wide compromise. The setup requires appropriate event logging configuration, and false positives may arise from automated system management tools or vulnerability scanners, necessitating fine-tuning of alerts.