T1070.005 Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete
command. 1
Item | Value |
---|---|
ID | T1070.005 |
Sub-techniques | T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006 |
Tactics | TA0005 |
Platforms | Windows |
Permissions required | Administrator, User |
Version | 1.0 |
Created | 31 January 2020 |
Last Modified | 09 February 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0260 | InvisiMole | |
InvisiMole can disconnect previously connected remote drives.3 | ||
S0039 | Net | The net use \system\share /delete command can be used in Net to remove an established connection to a network share.1 |
S0400 | RobbinHood | RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y .2 |
G0027 | Threat Group-3390 | Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.4 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0029 | Network Traffic | Network Traffic Content |
DS0009 | Process | Process Creation |
DS0002 | User Account | User Account Authentication |
References
-
Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. ↩
-
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. ↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩