Find sigma rule 
Attack: Indicator Removal on Host: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)
MITRE
Tactic
- defense-evasion
technique
- T1070.005
Test : Disable Administrative Share Creation at Startup
OS
- windows
Description:
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been purposefully disabled as is done in this Atomic test. As Microsoft puts it, “Missing administrative shares typically indicate that the computer in question has been compromised by malicious software.” https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Executor
command_prompt
Sigma Rule
- registry_set_disable_administrative_share.yml (id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e)