DET0103 Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects

Item	Value
ID	DET0103
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1070.005 (Network Share Connection Removal)

Analytics

Windows

AN0286

Detects network share disconnection attempts using command-line tools like net use /delete, PowerShell Remove-SmbMapping, and correlation with process lineage and SMB session teardown activity.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Network Traffic Content (DC0085)	NSM:Flow	SMB2_LOGOFF/SMB_TREE_DISCONNECT

Mutable Elements

Field	Description
TimeWindow	Adjustable window to correlate CLI disconnection command with SMB session teardown (e.g., 5 mins)
UserContext	Used to filter on non-interactive users or highly privileged accounts
ProcessCommandLineRegex	Patterns to match `net use \\host\share /delete`, `Remove-SmbMapping`, or suspicious batched disconnections
NetworkShareNamePattern	Tunable list of shares likely targeted (e.g., ADMIN$, C$, IPC$)