This analytic rule detects modifications to privileged groups within Active Directory, focusing on significant changes such as the creation, deletion, or modification of critical groups like "Administrators", "Domain Admins", and other high-privilege accounts. It leverages multiple Windows Security event codes to monitor these activities closely. A key aspect of this detection is its relevance to potential vulnerabilities, notably the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085). Attackers exploiting such vulnerabilities may attempt unauthorized access by altering group memberships, thereby necessitating the need for vigilant monitoring of privileged group modifications. By tracking events related to group changes, the rule aims to identify potentially malicious actions and ensure stringent security practices in managing privileged access.