Detect Network Share Connection Removal with this Free Splunk Rule
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the
net use \system\share /delete command.
Tactic: Defense Evasion
Data Sources: Command: Command Execution, Network Traffic: Network Traffic Content, Process: Process Creation, User Account: User Account Authentication
Defense Bypassed: Host forensic analysis
InvisiMole: InvisiMole can disconnect previously connected remote drives.
net use \system\share /delete the command can be used in Net to remove an established connection to a network share.
RobbinHood: RobbinHood disconnects all network shares from the computer with the command
net use * /DELETE /Y.
Threat Group-3390: Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Network share connections may be common depending on how a network environment is used. Monitor command-line invocation of
net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. SMB traffic between systems may also be captured and decoded to look for related network share sessions and file transfer activities. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account and can be used to correlate network share activity to other events to investigate the potentially malicious activity.
Resource of Install Root Certificate With this Free Splunk Detection Rule:
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”\\net.exe” CommandLine IN (“*net share” , “/delete”)) index=windows SourceName=”Microsoft-Windows-PowerShell” Message IN (“Remove-SmbShare” , “Remove-FileShare”) \\Delete a share with powershell