This analytic identifies the execution of `net.exe` with specific command-line arguments used to list or display information about computer connections in a Windows environment. It extensively utilizes telemetry from Endpoint Detection and Response (EDR) agents, pulling data from key events such as Sysmon EventID 1 and Windows Event Log Security 4688. Such activities are critical as they potentially indicate network reconnaissance efforts by malicious actors or Red Teams, who may look to ascertain Active Directory details and gather intelligence on the network structure. If deemed malicious, this behavior could lead to extensive mapping of network assets, paving the way for further attacks, data exfiltration, or lateral movement within the environment. Effectiveness is enhanced by implementing this detection through command-line scrutiny alongside process observations, utilizing the Splunk Common Information Model (CIM) for normalization and faster data handling.