This detection rule focuses on identifying potential reconnaissance activities conducted by attackers using the Windows command-line tool 'whoami.exe'. Specifically, it targets the execution of 'whoami.exe' with the '/group' command-line option, which reveals critical information about the user's group memberships, account types, associated security identifiers (SIDs), as well as various attributes linked to each group. Such information is valuable for attackers to enumerate groups, identify privileged accounts, and develop further attack strategies. The rule utilizes process creation logs to identify instances where 'whoami.exe' is invoked with the command-line options associated with group enumeration. The implementation involves monitoring the process creation category under Windows for specific indicators of 'whoami.exe' execution, effectively aiding in the detection of unauthorized reconnaissance attempts on an organization's user permissions and group affiliations.