T1070.005 Network Share Connection Removal Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "net.exe" or FileName =~ "net1.exe"
| where ProcessCommandLine has "use" and ProcessCommandLine has_any ("/delete", "/DELETE", "/d")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "net.exe" or FileName =~ "net1.exe"
    | where ProcessCommandLine has "use" and ProcessCommandLine has "*"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Share: Network Share Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running scripts that map and then unmap network shares as part of batch file operations
Logoff scripts configured in Group Policy that disconnect mapped drives when users log off
VPN clients that disconnect network shares when the VPN session ends and reconnect when it re-establishes
Backup agents that map network backup destinations, perform backup, then disconnect

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where (Image like "%\\net.exe" OR Image like "%\\net1.exe")
  AND CommandLine like "%use%"
  AND (CommandLine like "%/delete%" OR CommandLine like "%/DELETE%" OR CommandLine like "% /d %")
| eval BulkDelete=if(CommandLine like "% * %", "YES - All Shares", "NO - Targeted")
| eval Severity=if(BulkDelete="YES - All Shares", "HIGH", "MEDIUM")
| table _time, host, User, CommandLine, ParentImage, BulkDelete, Severity
| sort - _time
| append [
    search index=wineventlog sourcetype="WinEventLog:Security" (EventCode=5140 OR EventCode=5142)
    | eval EventType=case(EventCode=5140, "Share Access", EventCode=5142, "Share Added", true(), "Other")
    | table _time, host, SubjectUserName, ShareName, IpAddress, EventCode, EventType
    | sort - _time
]

high severity medium confidence

Data Sources

Process: Process Creation Windows Security Event Log: Share Auditing Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Logoff/logon scripts that disconnect mapped drives during session teardown
IT scripts that map shares for specific tasks and then clean up afterwards
RDS/Citrix session teardown processes disconnecting shares when sessions end
Automated drive mapping tools that cycle connections periodically

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start"
    and process.name in ("net.exe", "net1.exe")
    and process.args : "use"
    and process.args : ("/delete", "/DELETE", "/d", "*")
  ] by process.pid
| [any where true] by process.parent.pid

// Alternative flat query for broader coverage:
process where event.type == "start"
  and process.name in ("net.exe", "net1.exe")
  and process.command_line : "*use*"
  and (
    process.command_line : "*/delete*"
    or process.command_line : "*/DELETE*"
    or process.command_line : "* /d *"
    or (process.command_line : "* * *" and process.command_line : "*use*")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-endpoint*

False Positives

IT administrators running scheduled scripts to clean up stale drive mappings at logoff via Group Policy logoff scripts
End users manually disconnecting network shares through Windows Explorer or command line after completing legitimate file transfers
Automated provisioning or imaging tools that map and unmap shares during software deployment or OS refresh workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "CommandLine" AS CommandLine,
  "ParentProcessPath" AS ParentProcess,
  hostname AS Hostname,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN "CommandLine" ILIKE '%* /delete%' OR "CommandLine" ILIKE '%* /DELETE%'
      THEN 'HIGH - Bulk Share Removal'
    ELSE 'MEDIUM - Targeted Share Removal'
  END AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log
  AND starttime > NOW() - 86400000
  AND (
    ("ProcessPath" ILIKE '%\\net.exe' OR "ProcessPath" ILIKE '%\\net1.exe')
    AND "CommandLine" ILIKE '%use%'
    AND (
      "CommandLine" ILIKE '%/delete%'
      OR "CommandLine" ILIKE '%/DELETE%'
      OR "CommandLine" ILIKE '% /d %'
    )
  )
ORDER BY starttime DESC
UNION
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "ShareName" AS CommandLine,
  "IpAddress" AS ParentProcess,
  hostname AS Hostname,
  CATEGORYNAME(category) AS Category,
  'INFO - Share Object Event' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND starttime > NOW() - 86400000
  AND qid IN (
    SELECT qid FROM qidmap WHERE eventid IN (5140, 5142)
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows Event Log

Required Tables

events

False Positives

Helpdesk tooling that disconnects users' mapped drives when resetting profiles or troubleshooting connectivity issues
Login/logoff scripts deployed via Active Directory Group Policy that clean up drive mappings to prevent share enumeration by other users
Backup or DFS sync agents that mount and dismount shares programmatically during scheduled data replication tasks

Sumo Logic CSE

sql

_sourceCategory=WinEventLog/Sysmon OR _sourceCategory=WinEventLog/Security
| where EventID = "1" OR EventID = "5140" OR EventID = "5142"
| if (EventID = "1",
    (Image matches "*\\net.exe" OR Image matches "*\\net1.exe")
    AND CommandLine matches "*use*"
    AND (CommandLine matches "*/delete*" OR CommandLine matches "*/DELETE*" OR CommandLine matches "* /d *"),
    true
  )
| where EventID in ("5140", "5142") OR
  (
    EventID = "1"
    AND (
      CommandLine matches "*/delete*"
      OR CommandLine matches "*/DELETE*"
      OR CommandLine matches "* /d *"
    )
    AND CommandLine matches "*use*"
  )
| eval BulkDelete = if(
    CommandLine matches "* \\* *" AND CommandLine matches "*use*",
    "YES - All Shares Removed",
    "NO - Targeted Removal"
  )
| eval Severity = if(BulkDelete = "YES - All Shares Removed", "HIGH", "MEDIUM")
| eval EventType = if(EventID = "5140", "Share Access",
    if(EventID = "5142", "Share Created",
      if(EventID = "1", "Process Execution", "Unknown")))
| fields _messageTime, Computer, User, CommandLine, Image, ParentImage, ShareName, IpAddress, BulkDelete, Severity, EventType
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon Operational Log Windows Security Event Log

Required Tables

WinEventLog/Sysmon WinEventLog/Security

False Positives

Enterprise endpoint management platforms (e.g., SCCM, Intune) running cleanup scripts during device provisioning or software deployment
Users in development or QA environments frequently mounting and unmounting file shares as part of build or test pipelines
VPN or network access control solutions that programmatically disconnect mapped drives before forcing a re-authentication flow

Google Chronicle / SecOps

yaral

rule t1070_005_network_share_connection_removal {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects adversarial network share connection removal via net.exe or net1.exe. Used by RobbinHood, Threat Group-3390, InvisiMole, DUSTTRAP (APT41) for post-exploitation cleanup."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.005"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i).*\\net\.exe$`)
      or re.regex($e.principal.process.file.full_path, `(?i).*\\net1\.exe$`)
    )
    re.regex($e.target.process.command_line, `(?i).*use.*`)
    (
      re.regex($e.target.process.command_line, `(?i).*/delete.*`)
      or re.regex($e.target.process.command_line, `(?i).* /d .*`)
      or re.regex($e.target.process.command_line, `(?i).*use \\\\\\* .*`)
    )

  condition:
    $e
}

rule t1070_005_bulk_share_removal {
  meta:
    author = "Argus Detection Engineering"
    description = "High-confidence detection for bulk network share removal (net use * /DELETE /Y) — pattern consistent with pre-encryption ransomware behavior."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.005"
    severity = "CRITICAL"
    priority = "CRITICAL"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i).*\\net\.exe$`)
      or re.regex($e.principal.process.file.full_path, `(?i).*\\net1\.exe$`)
    )
    re.regex($e.target.process.command_line, `(?i).*use\s+\*\s+.*(/delete|/DELETE).*`)

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM Windows Event Logs via Chronicle forwarder Sysmon via Chronicle

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives

Administrative batch scripts executed during shift change or end-of-business that clean up all mapped network drives for security hygiene
Virtual desktop infrastructure (VDI) session teardown processes that automatically disconnect all mapped resources on logoff
Endpoint detection and response (EDR) or DLP agents that disconnect network shares when a data loss policy violation is detected

CrowdStrike LogScale (CQL)

cql

// Primary detection: net.exe / net1.exe share deletion
#event_simpleName=ProcessRollup2
| FileName in ("net.exe", "net1.exe", ignoreCase=true)
| CommandLine = /use/i
| CommandLine = /(\/delete|\/DELETE|\ \/d\ )/
| eval BulkDelete = if(CommandLine = /use\s+\\\\\*/, "YES", "NO")
| eval Severity = if(BulkDelete = "YES", "CRITICAL", "HIGH")
| eval TechniqueID = "T1070.005"
| eval TechniqueName = "Network Share Connection Removal"
| table([@timestamp, ComputerName, UserName, CommandLine, ParentProcessId, FileName, BulkDelete, Severity, TechniqueID, TechniqueName])
| sort(field=@timestamp, order=desc)

// Supplementary: detect net use wildcard bulk removal (pre-ransomware indicator)
#event_simpleName=ProcessRollup2
| FileName in ("net.exe", "net1.exe", ignoreCase=true)
| CommandLine = /use\s+\\\\\*\s+\/DELETE/i
| groupBy([ComputerName, UserName], function=[
    count(as=ExecutionCount),
    collect([CommandLine]),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| where ExecutionCount >= 1
| eval RansomwareIndicator = "HIGH - Bulk Share Removal"
| sort(field=LastSeen, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Telemetry Falcon ProcessRollup2 events

Required Tables

ProcessRollup2

False Positives

System administrators using net use * /DELETE as part of documented drive mapping refresh procedures during patch windows or infrastructure maintenance
Logon/logoff scripts managed through Group Policy that remove mapped drives on session end to prevent accumulation of stale connections
Automated IT service management workflows (e.g., ServiceNow runbooks) that reset user environments by clearing drive mappings before re-provisioning

Network Share Connection Removal

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections