diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/builtin/win_net_use_admin_share.yml
new file mode 100644
index 000000000..2493c2fad
--- /dev/null
+++ b/rules/windows/builtin/win_net_use_admin_share.yml
@@ -0,0 +1,26 @@
+title: Mounted Windows Admin Shares with net.exe
+id: 3abd6094-7027-475f-9630-8ab9be7b9725
+status: experimental
+description: Detects when an admin share is mounted using net.exe
+references:
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st'
+date: 2020/10/05
+tags:
+    - attack.lateral_movement
+    - attack.T1021.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+        CommandLine|contains|all:
+            - ' use '
+            - '\\\\*\*$*'
+    condition: selection
+falsepositives:
+    - Administrators
+level: medium