atomic-red-team/atomics/T1070.005/T1070.005.yaml

attack_technique: T1070.005
display_name: 'Indicator Removal on Host: Network Share Connection Removal'
atomic_tests:
- name: Add Network Share
  auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131
  description: |
    Add a Network Share utilizing the command_prompt
  supported_platforms:
  - windows
  input_arguments:
    share_name:
      description: Share to add.
      type: string
      default: '\\test\share'
  executor:
    command: |
      net use c: #{share_name}
      net share test=#{share_name} /REMARK:"test share" /CACHE:No
    name: command_prompt
- name: Remove Network Share
  auto_generated_guid: 09210ad5-1ef2-4077-9ad3-7351e13e9222
  description: |
    Removes a Network Share utilizing the command_prompt
  supported_platforms:
  - windows
  input_arguments:
    share_name:
      description: Share to remove.
      type: string
      default: '\\test\share'
  executor:
    command: |
      net share #{share_name} /delete
    name: command_prompt
- name: Remove Network Share PowerShell
  auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3
  description: |
    Removes a Network Share utilizing PowerShell
  supported_platforms:
  - windows
  input_arguments:
    share_name:
      description: Share to remove.
      type: string
      default: '\\test\share'
  executor:
    command: |
      Remove-SmbShare -Name #{share_name}
      Remove-FileShare -Name #{share_name}
    name: powershell
- name: Disable Administrative Share Creation at Startup
  auto_generated_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
  description: |
    Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators 
    remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been
    purposefully disabled as is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically 
    indicate that the computer in question has been compromised by malicious software."
    https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
    name: command_prompt
    elevation_required: true
- name: Remove Administrative Shares
  auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
  description: |
    Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators 
    remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically 
    indicate that the computer in question has been compromised by malicious software.
    https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
  supported_platforms:
  - windows
  executor:
    command: for %i in (C$ IPC$ ADMIN$) do net share %i /delete
    cleanup_command: |
      net share ADMIN$ /UNLIMITED >nul 2>&1
      net share C$=C:\ >nul 2>&1
      net share IPC$ >nul 2>&1
    name: command_prompt
    elevation_required: true