This analytic rule detects the activity surrounding the creation or deletion of Windows shares via the 'net.exe' command, leveraging endpoint telemetry sourced from Sysmon and Windows event logs. The rule focuses on event IDs pertinent to process creation (Event ID 4688), analyzing command-line arguments that pertain specifically to share handling (e.g., 'share /delete' or '/REMARK:'). This behavior can be indicative of malicious actions aimed at data exfiltration, lateral movement, or establishing persistence by attackers who might modify network share configurations. Prompt investigation of detected occurrences is essential to assess the legitimacy of the actions and to mitigate associated risks.