T1070.005 - Network Share Connection Removal#
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. (Citation: Technet Net Use)
Atomic Tests#
Atomic Test #1 - Add Network ShareAdd a Network Share utilizing the command_prompt#
Supported Platforms: windows#### Attack Commands: Run with command_prompt
net use c: \\test\share
net share test=\\test\share /REMARK:"test share" /CACHE:No
Invoke-AtomicTest T1070.005 -TestNumbers 1
Atomic Test #2 - Remove Network ShareRemoves a Network Share utilizing the command_prompt#
Supported Platforms: windows#### Attack Commands: Run with command_prompt
net share \\test\share /delete
Invoke-AtomicTest T1070.005 -TestNumbers 2
Atomic Test #3 - Remove Network Share PowerShellRemoves a Network Share utilizing PowerShell#
Supported Platforms: windows#### Attack Commands: Run with powershell
Remove-SmbShare -Name \\test\share
Remove-FileShare -Name \\test\share
Invoke-AtomicTest T1070.005 -TestNumbers 3
Atomic Test #4 - Disable Administrative Share Creation at StartupAdministrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators#
remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been
purposefully disabled as is done in this Atomic test. As Microsoft puts it, “Missing administrative shares typically
indicate that the computer in question has been compromised by malicious software.”
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
Invoke-AtomicTest T1070.005 -TestNumbers 4
Cleanup:#
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
Invoke-AtomicTest T1070.005 -TestNumbers 4 -Cleanup
Atomic Test #5 - Remove Administrative SharesAdministrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators#
remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically
indicate that the computer in question has been compromised by malicious software.
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
for %i in (C$ IPC$ ADMIN$) do net share %i /delete```
Invoke-AtomicTest T1070.005 -TestNumbers 5
Cleanup:#
net share ADMIN$ /UNLIMITED >nul 2>&1
net share C$=C:\ >nul 2>&1
net share IPC$ >nul 2>&1
Invoke-AtomicTest T1070.005 -TestNumbers 5 -Cleanup
Detection#
Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.