Network Share Connection Removal
|Network Share Connection Removal|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10|
|System Requirements||Established network share connection to a remote system. Level of access depends on permissions of the account used.|
|Permissions Required||User, Administrator|
|Data Sources||Process monitoring, Process command-line parameters, Packet capture, Authentication logs|
|Defense Bypassed||Host forensic analysis|
Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the
net use \\system\share /delete command.1
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
- Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.2
net use \\system\share /deletecommand can be used in Net to remove an established connection to a network share.1
Follow best practices for mitigation of activity related to establishing Windows Admin Shares.
Identify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting3 tools, like AppLocker,45 or Software Restriction Policies6 where appropriate.7
Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of
net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.
- Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.