This detection rule monitors the use of hidden network shares on Windows systems, specifically focusing on the shares ADMIN$, C$, and IPC$. These shares are typically only accessible by administrators, which can be exploited by threat actors to perform unauthorized actions or lateral movement within the network. When a remote file copy or administrative function is attempted, the corresponding System Monitoring (Sysmon) event codes are logged. The logic behind this rule leverages these event codes to identify any access or object calls made to these hidden shares. This can be indicative of malicious activity where an attacker, potentially equipped with administrator-level credentials, uses these shares to access sensitive system files or manage files remotely. The detection integrates with various atomic tests aligned with lateral movement tactics, particularly through the SMB protocol, and is linked with notable threat actors and malware families known to use similar techniques. The general alert produced by this rule can be further refined by correlation with user account activity and process information, aiding in identifying genuine administrative access versus potential intrusions.