This detection rule identifies the use of the `net.exe` command-line utility, which is commonly used on Windows systems to manage network resources and connections. The primary purpose of this rule is to detect adversaries attempting to enumerate network connections to and from compromised systems. The detection logic consists of two main parts: first, it looks for process creations specifically involving `net.exe` or `net1.exe`. Second, it checks for command-line arguments associated with common network connection queries, such as `use` or `sessions`. If both conditions are met, it indicates potential discovery activity that could signal malicious behavior. The rule also notes that there might be false positives due to legitimate administrative tasks that might use similar commands, but the overall detection level is considered low, suggesting frequency in benign use.