Unmount Share Via Net.EXE

calendar Oct 18, 2023 · attack.defense_evasion attack.t1070.005  ·
Share on: linkedin copy

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Sigma rule (View on GitHub)

 1title: Unmount Share Via Net.EXE
 2id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
 3status: test
 4description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
 7author: oscd.community, @redcanary, Zach Stanford @svch0st
 8date: 2020/10/08
 9modified: 2023/02/21
10tags:
11    - attack.defense_evasion
12    - attack.t1070.005
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith:
19              - '\net.exe'
20              - '\net1.exe'
21        - OriginalFileName:
22              - 'net.exe'
23              - 'net1.exe'
24    selection_cli:
25        CommandLine|contains|all:
26            - 'share'
27            - '/delete'
28    condition: all of selection*
29falsepositives:
30    - Administrators or Power users may remove their shares via cmd line
31level: low

References

Related rules

to-top