1. Home
  2. Techniques
  3. Enterprise
  4. Indicator Removal
  5. Network Share Connection Removal

Indicator Removal: Network Share Connection Removal

ID Name
T1070.001 Clear Windows Event Logs
T1070.002 Clear Linux or Mac System Logs
T1070.003 Clear Command History
T1070.004 File Deletion
T1070.005 Network Share Connection Removal
T1070.006 Timestomp
T1070.007 Clear Network Connection History and Configurations
T1070.008 Clear Mailbox Data
T1070.009 Clear Persistence
T1070.010 Relocate Malware

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. [1]

ID: T1070.005
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Windows
Version: 1.2
Created: 31 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1159 DUSTTRAP

DUSTTRAP can remove network shares from infected systems.[2]
S0260 InvisiMole

InvisiMole can disconnect previously connected remote drives.[3]
S0039 Net

The net use \system\share /delete command can be used in Net to remove an established connection to a network share.[1]
S0400 RobbinHood

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[4]
G0027 Threat Group-3390

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0103 Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects AN0286

Detects network share disconnection attempts using command-line tools like net use /delete, PowerShell Remove-SmbMapping, and correlation with process lineage and SMB session teardown activity.

References

  1. Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.
  2. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  3. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  1. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  2. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.