Detectionlowtest
Unmount Share Via Net.EXE
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
oscd.community, Zach StanfordCreated Thu Oct 08Updated Tue Feb 21cb7c4a03-2871-43c0-9bbb-18bbdb079896windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'share'
- '/delete'
condition: all of selection*False Positives
Administrators or Power users may remove their shares via cmd line
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
cb7c4a03-2871-43c0-9bbb-18bbdb079896
Status
test
Level
low
Type
Detection
Created
Thu Oct 08
Modified
Tue Feb 21
Author
Path
rules/windows/process_creation/proc_creation_win_net_share_unmount.yml
Raw Tags
attack.defense-evasionattack.t1070.005