PowerShell Deleted Mounted Share

calendar Oct 9, 2025 · attack.defense-evasion attack.t1070.005  ·
Share on: linkedin copy

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Sigma rule (View on GitHub)

 1title: PowerShell Deleted Mounted Share
 2id: 66a4d409-451b-4151-94f4-a55d559c49b0
 3status: test
 4description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
 7author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
 8date: 2020-10-08
 9modified: 2025-10-07
10tags:
11    - attack.defense-evasion
12    - attack.t1070.005
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains:
20            - 'Remove-SmbShare'
21            - 'Remove-FileShare'
22    filter_main_module_load:
23        ScriptBlockText|contains|all:
24            - 'FileShare.cdxml'
25            - 'Microsoft.PowerShell.Core\Export-ModuleMember'
26            - 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
27            - 'ObjectModelWrapper'
28            - 'Cmdletization.MethodParameter'
29    condition: selection and not 1 of filter_main_*
30falsepositives:
31    - Administrators or Power users may remove their shares via cmd line
32level: medium

References

Related rules

to-top