This detection rule is designed to identify potentially suspicious inquiries about SMB (Server Message Block) shares in a Windows environment. Adversaries seeking to understand the layout of shared resources on remote systems often execute commands that query SMB shares to identify accessible file directories and target systems for later exploitation. The rule focuses on PowerShell module activity, particularly the use of 'get-smbshare' commands, which may indicate reconnaissance behavior. Such activities can serve as a precursor to further actions like data collection or lateral movement within an organization's network. The specified detection condition inspects for the presence of 'get-smbshare' within the Payload or ContextInfo fields, indicating a targeted inquiry into shared resources. The rule carries a low severity level due to its nature, as legitimate administrative scripts could trigger it. Administrators should review outputs against typical network operations to filter potential false positives.