title: Network Share Connection Removal (T1070.005)
id: df00tech-t1070-005
status: experimental
description: "Adversaries remove Windows network share connections after use to clean up traces of lateral movement and data access. Network shares mapped via net use or UNC paths leave artifacts in the Windows registry (HKCU\\Network), Windows event logs (Event ID 5140 — network share object accessed, Event ID 5142 — network share created), and in the MRU list. The primary utility for removal is net use \\\\target\\share /delete or net use * /DELETE /Y to remove all mapped drives simultaneously. RobbinHood ransomware used net use * /DELETE /Y to disconnect all network shares before encryption, likely to ensure local encryption of any mapped network paths. Threat Group-3390 detached network shares after exfiltrating files. InvisiMole, DUSTTRAP (APT41), and various ransomware families routinely perform share cleanup as a post-exploitation step."
references:
  - https://attack.mitre.org/techniques/T1070/005/
  - https://df00tech.com/detections/T1070.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators running scripts that map and then unmap network shares as part of batch file operations
  - Logoff scripts configured in Group Policy that disconnect mapped drives when users log off
  - VPN clients that disconnect network shares when the VPN session ends and reconnect when it re-establishes
  - "Backup agents that map network backup destinations, perform backup, then disconnect"
level: high