T1070.005 Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. 1
| Item | Value |
|---|---|
| ID | T1070.005 |
| Sub-techniques | T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006 |
| Tactics | TA0005 |
| Platforms | Windows |
| Permissions required | Administrator, User |
| Version | 1.0 |
| Created | 31 January 2020 |
| Last Modified | 09 February 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0260 | InvisiMole | |
| InvisiMole can disconnect previously connected remote drives.3 | ||
| S0039 | Net | The net use \system\share /delete command can be used in Net to remove an established connection to a network share.1 |
| S0400 | RobbinHood | RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.2 |
| G0027 | Threat Group-3390 | Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.4 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0009 | Process | Process Creation |
| DS0002 | User Account | User Account Authentication |
References
-
Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. ↩
-
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. ↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩