Skip to content

Latest commit

 

History

History
83 lines (55 loc) · 2.99 KB

T1126.md

File metadata and controls

83 lines (55 loc) · 2.99 KB

T1126 - Network Share Connection Removal

Description from ATT&CK

Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

Detection: Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.

Platforms: Windows

Data Sources: Process monitoring, Process command-line parameters, Packet capture, Authentication logs

Defense Bypassed: Host forensic analysis

Permissions Required: User, Administrator

System Requirements: Established network share connection to a remote system. Level of access depends on permissions of the account used.

Atomic Tests


Atomic Test #1 - Add Network Share

Add a Network Share utilizing the command_prompt

Supported Platforms: Windows

Inputs

Name Description Type Default Value
share_name Share to add. string \test\share

Run it with command_prompt!

net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No


Atomic Test #2 - Remove Network Share

Removes a Network Share utilizing the command_prompt

Supported Platforms: Windows

Inputs

Name Description Type Default Value
share_name Share to remove. string \test\share

Run it with command_prompt!

net share #{share_name} /delete


Atomic Test #3 - Remove Network Share PowerShell

Removes a Network Share utilizing PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
share_name Share to remove. string \test\share

Run it with powershell!

Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}