The rule "Access To ADMIN$ Network Share" detects unauthorized access attempts to the ADMIN$ network share in Windows environments. This share is a hidden administrative share that provides access to the Windows operating system files. Accessing this share can be a sign of lateral movement during an attack, where an attacker leverages administrative privileges to navigate and exploit other machines on the network. The detection mechanism is based on monitoring EventID 5140, which logs attempts to access file shares. The rule requires the advanced audit policy setting 'Object Access > Audit File Share' to be enabled for the detection to work effectively, capturing both successful and failed access attempts. The rule filters out activity initiated by computer accounts (which typically end with a '$' symbol), aiming to focus on user-driven access which is often more suspicious. Though the rule is classified as low level, it is essential in a comprehensive security monitoring strategy due to the implications of accessing administrative shares.