This analytic rule is designed to detect the execution of the `Invoke-ShareFinder` PowerShell cmdlet, which is part of the PowerView toolset. The tool is commonly used for network reconnaissance to enumerate file shares within a Windows environment. By leveraging PowerShell Script Block Logging (EventCode 4104), the rule identifies instances when this command is executed. Monitoring this command is critical as it can indicate a potential security risk; attackers can use it to locate sensitive resources such as backup files, scripts, and user credentials. Such activities may be pre-attack or post-compromise, allowing attackers to escalate privileges or move laterally across the network, thereby compromising additional systems. The results from this detection can help security teams quickly assess potential threats and respond accordingly to mitigate risks.