This detection rule identifies the mounting of a Windows admin share using the Net.EXE command line tool. Specifically, it triggers when an invocation of net.exe or net1.exe occurs with the parameters 'use' and a UNC path that includes a mount to an administrative share (denoted by the use of double backslashes followed by an asterisk and a dollar sign). The rule accounts for legitimate administrative activities by including 'Administrators' as a potential false positive, highlighting the need for context around the alert. The detection condition combines two sets of criteria: process executions of the specified images (net.exe and net1.exe) and the presence of certain command line arguments. This can aid security teams in detecting potential lateral movement attempts by unauthorized users within a network environment.