Network Share Connection Removal

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command.

Example:

Adversaries can have the use of shares to move files, malware, or lateral move, they can also force authentication to capture hashes.

But in this sample let us see how an Adversary removes a share that contains malware and their Stolen Data.

In this scenario the Adversary gain access to Desktop-Alpha and has a share connected with Desktop-Bravo since this workstation contains all the goods, it is time to disconnect and remove it so that no traces are left back to our malware and sources

We use net to see our shares available in the compromised workstation

And we can see this in our GUI as well

Let's see our share what it has

File Content

Ok we have passwords let us remove the share so nobody else has access to this.

So we have a Z: Drive connected and our goal was to remove this, once successful we no longer see the share connected.

PreviousFile Deletion NextTimeStomping

Last updated 4 years ago

Was this helpful?