This detection rule is designed to identify when a Windows share is mounted using the 'net.exe' utility. The 'net.exe' command is commonly used for administrative tasks related to network management and can be leveraged for lateral movement by malicious actors. The rule focuses on monitoring process creation events specifically for the 'net.exe' and 'net1.exe' executables to ensure that any invocation of these commands is scrutinized. The detection logic consists of two primary selection criteria: an image path matching the specified executables and certain command-line arguments that typically involve share mounting. The rule employs a logical condition that requires all specified selections to be met in order for a detection event to be triggered. A low level of confidence is assigned to this rule due to the potential for false positives arising from legitimate administrative actions or scripted events. As such, it may require further investigation when triggered, particularly in production environments.