This detection rule identifies unauthorized access to Windows hidden network shares, specifically C$, ADMIN$, and IPC$, which are primarily used by system administrators. These shares can potentially be exploited by threat actors to perform remote file copying and carry out other administrative functions on compromised systems. By monitoring for object calls to these shares, security teams can detect suspicious activities associated with techniques used by APT groups, such as APT29 and APT31, among others. The rule leverages event logging from Windows Sysmon and uses the Splunk query language to filter for relevant event codes indicating share access. This capability allows for early detection of lateral movement within a network, which is crucial for preventing further compromise. Notably, the rule highlights various threats and the software employed by these adversaries to execute their attacks, making it a vital addition to security monitoring frameworks.