This detection rule identifies instances where commands are executed to add network shares on Windows systems using the Server Message Block (SMB) protocol. The rule specifically looks for processes that match certain regex patterns indicative of the 'net share' or 'net use' commands, while excluding any commands that involve deleting shares. This type of behavior is often leveraged by threat actors such as APT28 (Fancy Bear) and Mustang Panda, who may utilize valid accounts to establish remote connections for lateral movement within a network. The detection logic is implemented in a Snowflake environment and filters for relevant EDR logs from CrowdStrike, focusing on the last two hours of activity for real-time monitoring.