Skip to content
Atomic Red Team
atomics
T1070.005

T1070.005 - Indicator Removal on Host: Network Share Connection Removal

Description from ATT&CK (opens in a new tab)

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares (opens in a new tab) connections can be removed when no longer needed. Net (opens in a new tab) is an example utility that can be used to remove network share connections with the net use \system\share /delete command. (Citation: Technet Net Use)

Atomic Tests


Atomic Test #1 - Add Network Share

Add a Network Share utilizing the command_prompt

Supported Platforms: Windows

auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131

Inputs:

NameDescriptionTypeDefault Value
share_nameShare to add.string\\test\share

Attack Commands: Run with command_prompt!

net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No


Atomic Test #2 - Remove Network Share

Removes a Network Share utilizing the command_prompt

Supported Platforms: Windows

auto_generated_guid: 09210ad5-1ef2-4077-9ad3-7351e13e9222

Inputs:

NameDescriptionTypeDefault Value
share_nameShare to remove.string\\test\share

Attack Commands: Run with command_prompt!

net share #{share_name} /delete


Atomic Test #3 - Remove Network Share PowerShell

Removes a Network Share utilizing PowerShell

Supported Platforms: Windows

auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3

Inputs:

NameDescriptionTypeDefault Value
share_nameShare to remove.string\\test\share

Attack Commands: Run with powershell!

Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}


Atomic Test #4 - Disable Administrative Share Creation at Startup

Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been purposefully disabled as is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically indicate that the computer in question has been compromised by malicious software." https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f

Cleanup Commands:

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f


Atomic Test #5 - Remove Administrative Shares

Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically indicate that the computer in question has been compromised by malicious software. https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

for %i in (C$ IPC$ ADMIN$) do net share %i /delete

Cleanup Commands:

net share ADMIN$ /UNLIMITED >nul 2>&1
net share C$=C:\ >nul 2>&1
net share IPC$ >nul 2>&1