From 3516819bf819cd01f010ccaa47592f9115e71925 Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Mon, 5 Oct 2020 14:00:36 +1100
Subject: [PATCH] Delete win_net_use_admin_share.yml

---
 .../win_net_use_admin_share.yml               | 26 -------------------
 1 file changed, 26 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_net_use_admin_share.yml

diff --git a/rules/windows/process_creation/win_net_use_admin_share.yml b/rules/windows/process_creation/win_net_use_admin_share.yml
deleted file mode 100644
index 2493c2fad..000000000
--- a/rules/windows/process_creation/win_net_use_admin_share.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Mounted Windows Admin Shares with net.exe
-id: 3abd6094-7027-475f-9630-8ab9be7b9725
-status: experimental
-description: Detects when an admin share is mounted using net.exe
-references:
-    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
-author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st'
-date: 2020/10/05
-tags:
-    - attack.lateral_movement
-    - attack.T1021.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains|all:
-            - ' use '
-            - '\\\\*\*$*'
-    condition: selection
-falsepositives:
-    - Administrators
-level: medium