Techniques
Sample rules
PowerShell Deleted Mounted Share
- source: sigma
- technicques:
- t1070
- t1070.005
Description
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_module_load:
ScriptBlockText|contains|all:
- FileShare.cdxml
- Microsoft.PowerShell.Core\Export-ModuleMember
- ROOT/Microsoft/Windows/Storage/MSFT_FileShare
- ObjectModelWrapper
- Cmdletization.MethodParameter
selection:
ScriptBlockText|contains:
- Remove-SmbShare
- Remove-FileShare
Unmount Share Via Net.EXE
- source: sigma
- technicques:
- t1070
- t1070.005
Description
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|all:
- share
- /delete
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe