The detection rule "PowerShell Deleted Mounted Share" is designed to identify instances where mounted share connections are removed using PowerShell commands specifically targeting SMB shares. The removal of such shares can indicate malicious activity, as adversaries often seek to eliminate traces of their operations by disconnecting from shared resources. The rule functions by monitoring for script block logging events where the PowerShell commands 'Remove-SmbShare' or 'Remove-FileShare' are invoked. It requires script block logging to be enabled on Windows systems to capture the necessary data for detection. This rule is classified under the defense-evasion tactics outlined in the MITRE ATT&CK framework, specifically relating to the technique T1070.005, which covers the clearing of logs and traces to hinder detection.