T1070.005 IBM QRadar · QRadar

Detect Network Share Connection Removal in IBM QRadar

Adversaries remove Windows network share connections after use to clean up traces of lateral movement and data access. Network shares mapped via net use or UNC paths leave artifacts in the Windows registry (HKCU\Network), Windows event logs (Event ID 5140 — network share object accessed, Event ID 5142 — network share created), and in the MRU list. The primary utility for removal is net use \\target\share /delete or net use * /DELETE /Y to remove all mapped drives simultaneously. RobbinHood ransomware used net use * /DELETE /Y to disconnect all network shares before encryption, likely to ensure local encryption of any mapped network paths. Threat Group-3390 detached network shares after exfiltrating files. InvisiMole, DUSTTRAP (APT41), and various ransomware families routinely perform share cleanup as a post-exploitation step.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.005 Network Share Connection Removal
Canonical reference
https://attack.mitre.org/techniques/T1070/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "CommandLine" AS CommandLine,
  "ParentProcessPath" AS ParentProcess,
  hostname AS Hostname,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN "CommandLine" ILIKE '%* /delete%' OR "CommandLine" ILIKE '%* /DELETE%'
      THEN 'HIGH - Bulk Share Removal'
    ELSE 'MEDIUM - Targeted Share Removal'
  END AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log
  AND starttime > NOW() - 86400000
  AND (
    ("ProcessPath" ILIKE '%\\net.exe' OR "ProcessPath" ILIKE '%\\net1.exe')
    AND "CommandLine" ILIKE '%use%'
    AND (
      "CommandLine" ILIKE '%/delete%'
      OR "CommandLine" ILIKE '%/DELETE%'
      OR "CommandLine" ILIKE '% /d %'
    )
  )
ORDER BY starttime DESC
UNION
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "ShareName" AS CommandLine,
  "IpAddress" AS ParentProcess,
  hostname AS Hostname,
  CATEGORYNAME(category) AS Category,
  'INFO - Share Object Event' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND starttime > NOW() - 86400000
  AND qid IN (
    SELECT qid FROM qidmap WHERE eventid IN (5140, 5142)
  )
ORDER BY starttime DESC
high severity medium confidence

Detects net.exe and net1.exe invocations with share deletion flags in QRadar by querying Windows Security event logs, plus correlated share access events (5140/5142) to identify cleanup activity following lateral movement or data staging.

Data Sources

Microsoft Windows Security Event LogSysmon via Windows Event Log

Required Tables

events

False Positives & Tuning

  • Helpdesk tooling that disconnects users' mapped drives when resetting profiles or troubleshooting connectivity issues
  • Login/logoff scripts deployed via Active Directory Group Policy that clean up drive mappings to prevent share enumeration by other users
  • Backup or DFS sync agents that mount and dismount shares programmatically during scheduled data replication tasks
Download portable Sigma rule (.yml)

Other platforms for T1070.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Remove Specific Network Share Connection with net use /delete

    Expected signal: Sysmon EventCode 1: net.exe process creation with 'use \\127.0.0.1\IPC$ /delete' command line. Windows Security Event ID 5140 (share accessed) and then no corresponding 5142 (share removed) since the share never fully established due to authentication. MDE DeviceProcessEvents captures both the mapping and deletion commands.

  2. Test 2Bulk Network Share Removal with net use * /DELETE

    Expected signal: Sysmon EventCode 1: net.exe with '* /DELETE /Y' in command line. Windows Security Event ID 5140 may fire for each share that was disconnected. The wildcard (*) in the command line is a high-fidelity indicator of bulk share removal. MDE DeviceProcessEvents captures the full command including the * wildcard.

  3. Test 3Delete Network Share Registry History (MountPoints2 Cleanup)

    Expected signal: reg.exe process creation with 'delete' and 'MountPoints2' in command line. Sysmon EventCode 12 (RegistryKeyDeleted) for HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2. Security Event ID 4657 if registry auditing is enabled for HKCU keys.

Last updated: 2026-04-13 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1070.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1021.002SMB/Windows Admin SharesT1070.001Clear Windows Event LogsT1083File and Directory DiscoveryT1039Data from Network Shared DriveT1486Data Encrypted for ImpactT1048Exfiltration Over Alternative Protocol

Same Tactic: Defense Evasion

Popular Detections