Indicator Removal: Network Share Connection Removal

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. [1]

ID: T1070.005
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Windows
System Requirements: Established network share connection to a remote system. Level of access depends on permissions of the account used.
Defense Bypassed: Host forensic analysis
Version: 1.1
Created: 31 January 2020
Last Modified: 13 April 2023

Procedure Examples

ID Name Description
S0260 InvisiMole

InvisiMole can disconnect previously connected remote drives.[2]

S0039 Net

The net use \system\share /delete command can be used in Net to remove an established connection to a network share.[1]

S0400 RobbinHood

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[3]

G0027 Threat Group-3390

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares.

DS0029 Network Traffic Network Traffic Content

Monitoring for SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity.

DS0009 Process Process Creation

Monitor for newly constructed processes and/or command line execution that can be used to remove network share connections via the net.exe process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for various methods of removing network shares via the command line, which is otherwise a rare event.

Analytic 1: Network Share Connection Removal

target_processes = filter processes where ( (event_id == "1" OR event_id == "4688") AND (exe == "C:\Windows\System32\net.exe" AND command_line == "delete") OR command_line="Remove-SmbShare" OR command_line="Remove-FileShare" )

DS0002 User Account User Account Authentication

Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.

References