Unmount Share Via Net.EXE
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Sigma rule (View on GitHub)
1title: Unmount Share Via Net.EXE
2id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
3status: test
4description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
7author: oscd.community, @redcanary, Zach Stanford @svch0st
8date: 2020/10/08
9modified: 2023/02/21
10tags:
11 - attack.defense_evasion
12 - attack.t1070.005
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\net.exe'
20 - '\net1.exe'
21 - OriginalFileName:
22 - 'net.exe'
23 - 'net1.exe'
24 selection_cli:
25 CommandLine|contains|all:
26 - 'share'
27 - '/delete'
28 condition: all of selection*
29falsepositives:
30 - Administrators or Power users may remove their shares via cmd line
31level: low
References
Related rules
- PowerShell Deleted Mounted Share
- Binary Padding - MacOS
- CobaltStrike Load by Rundll32
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Creation Of a Suspicious ADS File Outside a Browser Download