Techniques
Sample rules
Unmount Share Via Net.EXE
- source: sigma
- technicques:
- t1070
- t1070.005
Description
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|all:
- share
- /delete
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
PowerShell Deleted Mounted Share
- source: sigma
- technicques:
- t1070
- t1070.005
Description
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Remove-SmbShare
- Remove-FileShare