security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1070.005/T1070.005.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

198 lines
4.9 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1070.005 - Indicator Removal on Host: Network Share Connection Removal
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/005)
<blockquote>
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Add Network Share](#atomic-test-1---add-network-share)
- [Atomic Test #2 - Remove Network Share](#atomic-test-2---remove-network-share)
- [Atomic Test #3 - Remove Network Share PowerShell](#atomic-test-3---remove-network-share-powershell)
- [Atomic Test #4 - Disable Administrative Share Creation at Startup](#atomic-test-4---disable-administrative-share-creation-at-startup)
- [Atomic Test #5 - Remove Administrative Shares](#atomic-test-5---remove-administrative-shares)
<br/>
## Atomic Test #1 - Add Network Share
Add a Network Share utilizing the command_prompt
**Supported Platforms:** Windows
**auto_generated_guid:** 14c38f32-6509-46d8-ab43-d53e32d2b131
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Share to add. | string | &#92;&#92;test&#92;share|
#### Attack Commands: Run with `command_prompt`!
```cmd
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
```
<br/>
<br/>
## Atomic Test #2 - Remove Network Share
Removes a Network Share utilizing the command_prompt
**Supported Platforms:** Windows
**auto_generated_guid:** 09210ad5-1ef2-4077-9ad3-7351e13e9222
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Share to remove. | string | &#92;&#92;test&#92;share|
#### Attack Commands: Run with `command_prompt`!
```cmd
net share #{share_name} /delete
```
<br/>
<br/>
## Atomic Test #3 - Remove Network Share PowerShell
Removes a Network Share utilizing PowerShell
**Supported Platforms:** Windows
**auto_generated_guid:** 0512d214-9512-4d22-bde7-f37e058259b3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Share to remove. | string | &#92;&#92;test&#92;share|
#### Attack Commands: Run with `powershell`!
```powershell
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
```
<br/>
<br/>
## Atomic Test #4 - Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsofts Windows NT operating systems that grant system administrators
remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been
purposefully disabled as is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically
indicate that the computer in question has been compromised by malicious software."
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
**Supported Platforms:** Windows
**auto_generated_guid:** 99c657aa-ebeb-4179-a665-69288fdd12b8
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
```
<br/>
<br/>
## Atomic Test #5 - Remove Administrative Shares
Administrative shares are hidden network shares created by Microsofts Windows NT operating systems that grant system administrators
remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically
indicate that the computer in question has been compromised by malicious software.
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
**Supported Platforms:** Windows
**auto_generated_guid:** 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
for %i in (C$ IPC$ ADMIN$) do net share %i /delete
```
#### Cleanup Commands:
```cmd
net share ADMIN$ /UNLIMITED >nul 2>&1
net share C$=C:\ >nul 2>&1
net share IPC$ >nul 2>&1
```
<br/>
Reference in New Issue View Git Blame Copy Permalink