This detection rule identifies when unusual processes enumerate membership in built-in Windows privileged local groups such as 'Administrators' or 'Remote Desktop Users'. Such enumeration can suggest that attackers are assessing their environment after gaining access, potentially to further their attack by mapping targets or preparing for credential compromise. The rule relies on Windows event logs indexed by the Winlogbeat and other logs, using a structured KQL query to filter for specific events indicating that group membership was queried under suspicious circumstances while blacklisting known legitimate processes to reduce false positives. Investigative notes suggest checking associated processes, user behavior, and any corroborating alerts that might indicate malicious activity.