This analytic rule detects the execution of the `net.exe` command along with specific arguments intended for querying sensitive and high-privileged groups within a Windows Active Directory environment. It utilizes data from EDR tools, specifically monitoring process names, command-line executions, and relates them to established sensitive groups such as 'Domain Admins', 'Enterprise Admins', and more. This detection is critical, as it highlights potential reconnaissance by threat actors looking to identify accounts with elevated privileges, which could lead to further attacks targeting these accounts or the systems they control. Implementation requires proper ingestion of process-related telemetry and adherence to the Splunk Common Information Model to ensure accurate data handling and querying.