Network Share Connection Removal

https://attack.mitre.org/techniques/T1070/005/

ATT&CK ID: T1070.005

Permissions Required: Administrator | User

Description

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command.

[Source]

Techniques

Net (Native)

net use i: /delete
net use l: /delete

Registry

# Query for mapped drives
reg query HKEY_CURRENT_USER\Network

reg delete HKEY_CURRENT_USER\Network\i /f

# Query secondary mapped drive keys
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

# Delete secondary mapped drive keys
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##DC01#IT /f

Mitigation

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

hashtagTechniques

hashtagNet (Native)

hashtagRegistry

hashtagMitigation

hashtagFurther Reading

Techniques

Net (Native)

Registry

Mitigation

Further Reading