Skip to content

Latest commit

 

History

History
102 lines (48 loc) · 2.21 KB

T1070.005.md

File metadata and controls

102 lines (48 loc) · 2.21 KB

T1070.005 - Network Share Connection Removal

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)

Atomic Tests


Atomic Test #1 - Add Network Share

Add a Network Share utilizing the command_prompt

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
share_name Share to add. string \\test\share

Attack Commands: Run with command_prompt!

net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No


Atomic Test #2 - Remove Network Share

Removes a Network Share utilizing the command_prompt

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
share_name Share to remove. string \\test\share

Attack Commands: Run with command_prompt!

net share #{share_name} /delete


Atomic Test #3 - Remove Network Share PowerShell

Removes a Network Share utilizing PowerShell

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
share_name Share to remove. string \\test\share

Attack Commands: Run with powershell!

Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}