Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. (Citation: Technet Net Use)
Add a Network Share utilizing the command_prompt
Supported Platforms: Windows
auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131
| Name | Description | Type | Default Value | |——|————-|——|—————| | share_name | Share to add. | string | \\test\share|
1
command_prompt
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
Removes a Network Share utilizing the command_prompt
Supported Platforms: Windows
auto_generated_guid: 09210ad5-1ef2-4077-9ad3-7351e13e9222
| Name | Description | Type | Default Value | |——|————-|——|—————| | share_name | Share to remove. | string | \\test\share|
1
command_prompt
net share #{share_name} /delete
Removes a Network Share utilizing PowerShell
Supported Platforms: Windows
auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3
| Name | Description | Type | Default Value | |——|————-|——|—————| | share_name | Share to remove. | string | \\test\share|
1
powershell
1
2
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been purposefully disabled as is done in this Atomic test. As Microsoft puts it, “Missing administrative shares typically indicate that the computer in question has been compromised by malicious software.” https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Supported Platforms: Windows
auto_generated_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
1
command_prompt
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically indicate that the computer in question has been compromised by malicious software. https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Supported Platforms: Windows
auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
1
command_prompt
for %i in (C$ IPC$ ADMIN$) do net share %i /delete
net share ADMIN$ /UNLIMITED >nul 2>&1
net share C$=C:\ >nul 2>&1
net share IPC$ >nul 2>&1