Find sigma rule
Attack: Indicator Removal on Host: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\share /delete
command. (Citation: Technet Net Use)
MITRE
Tactic
- defense-evasion
technique
- T1070.005
Test : Remove Network Share PowerShell
OS
- windows
Description:
Removes a Network Share utilizing PowerShell
Executor
powershell
Sigma Rule
-
posh_ps_susp_mounted_share_deletion.yml (id: 66a4d409-451b-4151-94f4-a55d559c49b0)
-
posh_ps_susp_smb_share_reco.yml (id: 95f0643a-ed40-467c-806b-aac9542ec5ab)
-
posh_pm_susp_smb_share_reco.yml (id: 6942bd25-5970-40ab-af49-944247103358)