This detection rule identifies anomalous interactions with network shares on Windows systems utilizing the Net command. Attackers may employ such procedures for reconnaissance to discover accessible shared resources, which could facilitate subsequent privilege escalation or data exfiltration. The analytic captures data from Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2, monitoring instances where processes match the usage of 'net.exe' for listing or interacting with network shares. The search query combines usage statistics on the identified commands with time constraints for analysis, highlighting potential malicious activities surrounding network share interactions. To implement this effectively, it is essential to ensure the ingestion of logs with pertinent details such as process names and parent process contexts, integrating them into the Splunk Common Information Model for normalization.