This detection rule monitors the creation of administrative shares in Windows environments. Administrative shares, such as C$ and ADMIN$, are created by default in Windows operating systems, allowing admin users to access file systems remotely over the network. The focus of this rule is to ensure that these shares are disabled through registry settings, particularly in the registry path \Services\LanmanServer\Parameters\. The rule checks for two specific DWORD values—AutoShareWks for workstations and AutoShareServer for servers—both set to 0 (disabled). This is an important control to prevent unauthorized access and potential exploitation via these shares, enhancing overall security posture against lateral movement and unauthorized data access via administrative shares. By capturing this information, organizations can monitor and remediate any inadvertent changes that may inadvertently re-enable these shares, presenting a risk to the security of their network.