Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

PowerShell Deleted Mounted Share

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
oscd.community, Zach StanfordCreated Thu Oct 08Updated Tue Oct 0766a4d409-451b-4151-94f4-a55d559c49b0windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ScriptBlockText|contains:
            - 'Remove-SmbShare'
            - 'Remove-FileShare'
    filter_main_module_load:
        ScriptBlockText|contains|all:
            - 'FileShare.cdxml'
            - 'Microsoft.PowerShell.Core\Export-ModuleMember'
            - 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
            - 'ObjectModelWrapper'
            - 'Cmdletization.MethodParameter'
    condition: selection and not 1 of filter_main_*
False Positives

Administrators or Power users may remove their shares via cmd line

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
66a4d409-451b-4151-94f4-a55d559c49b0
Status
test
Level
medium
Type
Detection
Created
Thu Oct 08
Modified
Tue Oct 07
Author
oscd.community, Zach Stanford
Path
rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml
Raw Tags
attack.defense-evasionattack.t1070.005
View on GitHub