my server has a SNOW agent installed & SIEM We have observed suspicious activity on the Windows Database Servers.where we see that the command "for /f "tokens=1,2 delims=\\" %i in ('whoami') do net localgroup "ora_dba" "%i\%j" /ADD” was executed.. We observed use of the 'whoami' command and addition of “nt authority\system” to the "ora_dba" group.