CAR-2020-11-007: Network Share Connection Removal
Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Indicator Removal | Network Share Connection Removal | Defense Evasion | High |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |
Implementations
Pseudocode - network shares being removed via the command line (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create
target_processes = filter processes where (
(exe="C:\\Windows\\System32\\net.exe" AND command_line="*delete*") OR
command_line="*Remove-SmbShare*" OR
comman_line="*Remove-FileShare*" )
output target_processes
Splunk Search - delete network shares (Splunk, Sysmon native)
looks network shares being deleted from the command line
(index=__your_sysmon_index__ EventCode=1) ((Image="C:\\Windows\\System32\\net.exe" AND CommandLine="*delete*") OR CommandLine="*Remove-SmbShare*" OR CommandLine="*Remove-FileShare*")
LogPoint Search - delete network shares (Logpoint, LogPoint native)
looks network shares being deleted from the command line
norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\System32\net.exe" command="*delete*") OR command="*Remove-SmbShare*" OR command="*Remove-FileShare*")