PowerShell Deleted Mounted Share
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Sigma rule (View on GitHub)
1title: PowerShell Deleted Mounted Share
2id: 66a4d409-451b-4151-94f4-a55d559c49b0
3status: test
4description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
7author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
8date: 2020/10/08
9modified: 2022/12/25
10tags:
11 - attack.defense_evasion
12 - attack.t1070.005
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains:
20 - 'Remove-SmbShare'
21 - 'Remove-FileShare'
22 condition: selection
23falsepositives:
24 - Administrators or Power users may remove their shares via cmd line
25level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Clearing Windows Console History
- NTFS Alternate Data Stream
- Potential PowerShell Downgrade Attack
- Powershell Store File In Alternate Data Stream
- Powershell Timestomp