This detection rule, aimed at uncovering reconnaissance efforts within an Active Directory domain, focuses on the invocation of `net.exe` or `net1.exe` command line utilities. These commands can alert security teams when an attacker attempts to discover domain password policies, a crucial step in further malicious activities such as brute-force or credential stuffing attacks. The analytics are based on data from Endpoint Detection and Response (EDR) systems and leverage specific event logs, particularly from Sysmon and Windows Security Logs, to identify the execution of these commands along with the relevant arguments. While this type of action could be performed by legitimate administrators, its detection is critical as it indicates potential pre-attack activity by adversaries. Note: This analytical content has been deprecated and is no longer maintained.