This detection rule focuses on identifying suspicious reconnaissance activities performed via the command line on Windows systems using the Net.EXE utility. The rule primarily aims to track potentially malicious commands that query network groups or user accounts—a common precursor to larger attacks such as lateral movement. Several conditions are evaluated including whether the process was executed using Net.EXE or Net1.EXE, the command line used, and the permissions of the user executing the command. If the user is a known service account or SYSTEM, additional scrutiny is applied. The detection logic combines specific command patterns targeting groups, accounts, and filtering out benign commands that include group additions. False positives can arise from legitimate administrative activities or inventory tools that occasionally run similar commands. Implementing this detection can help security teams catch early signs of unauthorized reconnaissance conducted by threat actors.