Skip to content

Latest commit

 

History

History
92 lines (49 loc) · 2.14 KB

T1126.md

File metadata and controls

92 lines (49 loc) · 2.14 KB

T1126 - Network Share Connection Removal

Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

Atomic Tests


Atomic Test #1 - Add Network Share

Add a Network Share utilizing the command_prompt

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
share_name Share to add. string \test\share

Attack Commands: Run with command_prompt!

net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No


Atomic Test #2 - Remove Network Share

Removes a Network Share utilizing the command_prompt

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
share_name Share to remove. string \test\share

Attack Commands: Run with command_prompt!

net share #{share_name} /delete


Atomic Test #3 - Remove Network Share PowerShell

Removes a Network Share utilizing PowerShell

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
share_name Share to remove. string \test\share

Attack Commands: Run with powershell!

Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}