Detect Network Share Connection Removal in Google Chronicle
Adversaries remove Windows network share connections after use to clean up traces of lateral movement and data access. Network shares mapped via net use or UNC paths leave artifacts in the Windows registry (HKCU\Network), Windows event logs (Event ID 5140 — network share object accessed, Event ID 5142 — network share created), and in the MRU list. The primary utility for removal is net use \\target\share /delete or net use * /DELETE /Y to remove all mapped drives simultaneously. RobbinHood ransomware used net use * /DELETE /Y to disconnect all network shares before encryption, likely to ensure local encryption of any mapped network paths. Threat Group-3390 detached network shares after exfiltrating files. InvisiMole, DUSTTRAP (APT41), and various ransomware families routinely perform share cleanup as a post-exploitation step.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.005 Network Share Connection Removal
- Canonical reference
- https://attack.mitre.org/techniques/T1070/005/
YARA-L Detection Query
rule t1070_005_network_share_connection_removal {
meta:
author = "Argus Detection Engineering"
description = "Detects adversarial network share connection removal via net.exe or net1.exe. Used by RobbinHood, Threat Group-3390, InvisiMole, DUSTTRAP (APT41) for post-exploitation cleanup."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1070.005"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.principal.process.file.full_path, `(?i).*\\net\.exe$`)
or re.regex($e.principal.process.file.full_path, `(?i).*\\net1\.exe$`)
)
re.regex($e.target.process.command_line, `(?i).*use.*`)
(
re.regex($e.target.process.command_line, `(?i).*/delete.*`)
or re.regex($e.target.process.command_line, `(?i).* /d .*`)
or re.regex($e.target.process.command_line, `(?i).*use \\\\\\* .*`)
)
condition:
$e
}
rule t1070_005_bulk_share_removal {
meta:
author = "Argus Detection Engineering"
description = "High-confidence detection for bulk network share removal (net use * /DELETE /Y) — pattern consistent with pre-encryption ransomware behavior."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1070.005"
severity = "CRITICAL"
priority = "CRITICAL"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.principal.process.file.full_path, `(?i).*\\net\.exe$`)
or re.regex($e.principal.process.file.full_path, `(?i).*\\net1\.exe$`)
)
re.regex($e.target.process.command_line, `(?i).*use\s+\*\s+.*(/delete|/DELETE).*`)
condition:
$e
}Two-rule Chronicle YARA-L detection: one broad rule for any net use /delete activity, and a high-confidence critical rule for bulk share removal (net use * /DELETE) consistent with pre-encryption ransomware staging. Uses UDM process launch events with regex matching on command-line arguments.
Data Sources
Required Tables
False Positives & Tuning
- Administrative batch scripts executed during shift change or end-of-business that clean up all mapped network drives for security hygiene
- Virtual desktop infrastructure (VDI) session teardown processes that automatically disconnect all mapped resources on logoff
- Endpoint detection and response (EDR) or DLP agents that disconnect network shares when a data loss policy violation is detected
Other platforms for T1070.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Remove Specific Network Share Connection with net use /delete
Expected signal: Sysmon EventCode 1: net.exe process creation with 'use \\127.0.0.1\IPC$ /delete' command line. Windows Security Event ID 5140 (share accessed) and then no corresponding 5142 (share removed) since the share never fully established due to authentication. MDE DeviceProcessEvents captures both the mapping and deletion commands.
- Test 2Bulk Network Share Removal with net use * /DELETE
Expected signal: Sysmon EventCode 1: net.exe with '* /DELETE /Y' in command line. Windows Security Event ID 5140 may fire for each share that was disconnected. The wildcard (*) in the command line is a high-fidelity indicator of bulk share removal. MDE DeviceProcessEvents captures the full command including the * wildcard.
- Test 3Delete Network Share Registry History (MountPoints2 Cleanup)
Expected signal: reg.exe process creation with 'delete' and 'MountPoints2' in command line. Sysmon EventCode 12 (RegistryKeyDeleted) for HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2. Security Event ID 4657 if registry auditing is enabled for HKCU keys.
Unlock Pro Content
Get the full detection package for T1070.005 including response playbook, investigation guide, and atomic red team tests.