Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Network Share Connection Removal

Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. [1]

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

ID: T1126

Tactic: Defense Evasion

Platform:  Windows

Permissions Required:  Administrator, User

Data Sources:  Process monitoring, Process command-line parameters, Packet capture, Authentication logs

Defense Bypassed:  Host forensic analysis

Version: 1.0

Examples

NameDescription
Net

The net use \system\share /delete command can be used in Net to remove an established connection to a network share.[1]

Threat Group-3390

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[2]

Mitigation

Follow best practices for mitigation of activity related to establishing Windows Admin Shares.

Identify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting [3] tools, like AppLocker, [4] [5] or Software Restriction Policies [6] where appropriate. [7]

Detection

Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.

References