This analytic rule is designed to detect modifications in firewall settings that allow file and printer sharing, which can be an indication of potential ransomware activity. The detection focuses on the use of command-line executions related to 'netsh' commands—specifically, commands that enable file and printer sharing. The detection sources include Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2, utilizing data collected from Endpoint Detection and Response (EDR) agents. A successful trigger could signify that an intruder, possibly a ransomware variant, is attempting to spread across the network by discovering and encrypting files on other connected systems. This early detection allows for a proactive response, preventing potential widespread file encryption and other malicious activities.