This detection rule identifies potentially malicious activity involving multiple access attempts to Windows administrative shares (C$, Admin$, IPC$) from a single source computer to 30 or more remote systems within a 5-minute window. This behavior is captured using Windows Security Event IDs 5140 and 5145, which register file share access events. By leveraging these event logs, the rule can flag aggressive enumeration or lateral movement tactics often employed by cyber adversaries seeking to locate sensitive files or resources. Should this behavior be validated as unauthorized, it raises concerns about potential data breaches and broad system compromises on the network.