Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete
command. (Citation: Technet Net Use)
Add a Network Share utilizing the command_prompt
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
share_name | Share to add. | string | \\test\share |
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
Removes a Network Share utilizing the command_prompt
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
share_name | Share to remove. | string | \\test\share |
net share #{share_name} /delete
Removes a Network Share utilizing PowerShell
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
share_name | Share to remove. | string | \\test\share |
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}