This rule is designed to detect SMB (Server Message Block) write access attempts on administrative shares within Windows environments. Administrative shares are special network shares that allow privileged users remote access to system resources, typically intended for administrative purposes, and are usually hidden from standard users (indicated by a $ sign at the end of the share name). Threat actors often exploit SMB to facilitate lateral movement within a network. The rule specifically targets SMB access attempts with write access masks (0x2) from non-system accounts, effectively identifying potential unauthorized activities aimed at sensitive administrative shares such as NETLOGON or SYSVOL. The detection logic utilizes Windows Event IDs 5145 and 5140, focusing on identifying specific patterns of access attempts and filtering out legitimate service accounts, thus enhancing security monitoring against lateral movement tactics.