Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Indicator Removal on Host||Network Share Connection Removal||Defense Evasion||High|
Data Model References
Pseudocode - network shares being removed via the command line (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create target_processes = filter processes where ( (exe="C:\\Windows\\System32\\net.exe" AND command_line="*delete*") OR command_line="*Remove-SmbShare*" OR comman_line="*Remove-FileShare*" ) output target_processes
Splunk Search - delete network shares (Splunk, Sysmon native)
looks network shares being deleted from the command line
(index=__your_sysmon_index__ EventCode=1) ((Image="C:\\Windows\\System32\\net.exe" AND CommandLine="*delete*") OR CommandLine="*Remove-SmbShare*" OR CommandLine="*Remove-FileShare*")