T1070.005: Network Share Connection Removal — MITRE ATT&CK Technique

Q: How can T1070.005 be detected?

Detection of T1070.005 (Network Share Connection Removal) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

Q: What mitigations exist for T1070.005?

Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.

Q: Which threat groups use T1070.005?

Known threat groups using T1070.005 include: Threat Group-3390.

Description

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)

Platforms

Windows

Threat Groups (1)

ID	Group	Context
G0027	Threat Group-3390	[Threat Group-3390](https://attack.mitre.org/groups/G0027) has detached network shares after exfiltrating files, likely to evade detection.(Citation: ...

Associated Software (4)

ID	Name	Type	Context
S0039	Net	Tool	The <code>net use \\system\share /delete</code> command can be used in [Net](https://attack.mitre.org/software/S0039) to remove an established connect...
S0400	RobbinHood	Malware	[RobbinHood](https://attack.mitre.org/software/S0400) disconnects all network shares from the computer with the command <code>net use * /DELETE /Y</co...
S1159	DUSTTRAP	Malware	[DUSTTRAP](https://attack.mitre.org/software/S1159) can remove network shares from infected systems.(Citation: Google Cloud APT41 2024)
S0260	InvisiMole	Malware	[InvisiMole](https://attack.mitre.org/software/S0260) can disconnect previously connected remote drives.(Citation: ESET InvisiMole June 2018)

References

Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.

Frequently Asked Questions

What is T1070.005 (Network Share Connection Removal)?

T1070.005 is a MITRE ATT&CK technique named 'Network Share Connection Removal'. It belongs to the Stealth tactic(s). Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniqu...

How can T1070.005 be detected?

Detection of T1070.005 (Network Share Connection Removal) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1070.005?

Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.

Which threat groups use T1070.005?

Known threat groups using T1070.005 include: Threat Group-3390.