
Summary
This detection rule focuses on identifying events related to the removal of network share connections on Windows systems, which may indicate malicious activity, such as an adversary attempting to erase traces of their presence after a compromise. The logic is implemented using a Snowflake query that monitors the `crowdstrikefdr_process` table for relevant process execution events. Specifically, it looks for instances where the `net` command (potentially with the `.exe` extension) is utilized to manage share connections, specifically focusing on 'net share' commands. The rule is triggered for any such events that occur within the past two hours. By leveraging regex patterns to match the command details, the rule aims to detect evasive behaviors related to network share management. The specified technique id T1070.005 ties this activity to the wider context of indicator removal tactics utilized by adversaries.
Categories
- Endpoint
- Windows
- Network
Data Sources
- Process
ATT&CK Techniques
- T1070.005
Created: 2024-02-09