The rule 'Unmount Share Via Net.EXE' detects the deletion of mounted network shares on Windows systems, which may indicate an adversary's attempt to remove traces of their activities. When a share is unmounted using commands like 'net share /delete', it could signify that the attacker is cleaning up after themselves to avoid detection. This rule monitors for process creation events related to 'net.exe' or 'net1.exe' with command-line arguments indicating share deletion. By analyzing the command line and the specific images being executed, the detection rule seeks to identify legitimate administrative actions versus potential malicious behavior. It is essential for security teams to correlate findings with context as legitimate users, such as administrators or power users, may also perform similar actions without malicious intent. The rule has a low severity level, indicating that while it is a relevant detection method, further validation is necessary before acting on alerts generated from this rule.