T1070.005: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete
command.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
Monitoring of events related to execution of net.exe with command line input containing 'share' (or 'use ') and '/delete' (for example, 'net share #{share_name} /delete'), or events related to execution of PowerShell cmdlets Remove-SmbShare and Remove-FileShare.
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitoring for SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. |
---|
ID | DS0002 | Data source and component | User Account: User Account Authentication | Description | Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes and/or command line execution that can be used to remove network share connections via the net.exe process. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for various methods of removing network shares via the command line, which is otherwise a rare event. Analytic 1- Network Share Connection Removal
|
---|