This detection rule identifies the use of net.exe for mounting WebDav or hidden remote shares on Windows systems, which may indicate lateral movement or preparation for data exfiltration by adversaries. The rule captures events where the process name is net.exe or net1.exe (excluding its invocation as a child process of net.exe), and checks for specific command arguments that match hidden or WebDav shares. The rule employs EQL (Event Query Language) to analyze process events and flags any suspicious activities based on command patterns while excluding typical benign operations such as share deletions. It is intended as part of a broader security strategy to prevent lateral movement attacks in Windows environments. This rule requires data from various security sources including endpoint logs, Windows logs via Winlogbeat, and Sysmon operational logs to be effective.