Find sigma rule

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)

MITRE

Tactic

defense-evasion

technique

T1070.005

OS

windows

Description:

Removes a Network Share utilizing the command_prompt

Executor

command_prompt

Sigma Rule

proc_creation_win_net_execution.yml (id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac)
proc_creation_win_net_share_unmount.yml (id: cb7c4a03-2871-43c0-9bbb-18bbdb079896)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test

MITRE

Tactic

technique

OS

Description:

Executor

Sigma Rule

Attack: Indicator Removal on Host: Network Share Connection Removal

MITRE

Tactic

technique

Test : Remove Network Share

OS

Description:

Executor

Sigma Rule