This detection rule targets potential reconnaissance activities by threat actors aiming to enumerate local administrative access on remote Windows systems, specifically through the administrative shares such as C$, Admin$, or IPC$. The provided logic is designed to capture commands that list files and directories, including 'dir', 'ls', 'Get-ChildItem', and 'tree'. However, due to the nature of these commands not generating process creation logs, detection is enabled only when these commands are invoked through another executable context, such as with 'cmd.exe /c dir'.\n\nThe Splunk query utilizes Sysmon event ID 1 (process creation events) and checks for the defined commands along with the share names. The expression captures any matching commands targeting local administrative shares originating from specific local networks, indicated by a regex that covers private IP ranges, thus limiting the alert to potentially unauthorized access attempts. The output of the query includes timestamps, hostnames, users, and process information for further analysis, thereby helping security analysts identify malicious activities related to file enumeration on administrative shares.