This detection rule focuses on identifying account discovery commands executed on Windows systems, which may indicate an adversary's intent to map out local accounts. Adversaries utilize various commands that query user and group information, such as 'net user', 'net localgroup', and 'Get-LocalGroupMember', among others. These commands can provide visibility into the user accounts available on a system, assisting the attacker in determining potential targets for lateral movement or credential harvesting. The rule uses a regex pattern to detect these commands being executed in the process logs of the CrowdStrike platform. It excludes commands associated with adding or deleting accounts to narrow the focus to discovery activities only. This rule is vital for monitoring potential reconnaissance behavior within an enterprise environment, allowing for timely alerts when potentially malicious account discovery attempts are detected.