security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1126/T1126.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

81 lines
2.1 KiB
Markdown
Raw Blame History

# T1126 - Network Share Connection Removal
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1126)
<blockquote>Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Add Network Share](#atomic-test-1---add-network-share)
- [Atomic Test #2 - Remove Network Share](#atomic-test-2---remove-network-share)
- [Atomic Test #3 - Remove Network Share PowerShell](#atomic-test-3---remove-network-share-powershell)
<br/>
## Atomic Test #1 - Add Network Share
Add a Network Share utilizing the command_prompt
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Share to add. | string | \\test\share|
#### Run it with `command_prompt`!
```
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
```
<br/>
<br/>
## Atomic Test #2 - Remove Network Share
Removes a Network Share utilizing the command_prompt
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Share to remove. | string | \\test\share|
#### Run it with `command_prompt`!
```
net share #{share_name} /delete
```
<br/>
<br/>
## Atomic Test #3 - Remove Network Share PowerShell
Removes a Network Share utilizing PowerShell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Share to remove. | string | \\test\share|
#### Run it with `powershell`!
```
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink