Windows network share deletion via net.exe
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
Windows network share deletion via net.exe | Standard | Sysmon, Windows | Defense Evasion: Indicator Removal - Network Share Connection Removal (T1070.005) Impact: Account Access Removal (T1531) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Detects the removal of Windows network shares using the built-in net.exe utility, a technique often used by attackers to disrupt access, hide activity, or impair recovery during lateral movement or ransomware operations.
Why this rule?
Network share deletion via net.exe is a hallmark technique of ransomware operators, destructive malware, and attackers attempting to impair recovery capabilities before executing final attack stages. By removing network shares, attackers prevent users and administrators from accessing backup locations, shared documents, central file repositories, and recovery resources, maximizing operational disruption and forcing victims to pay ransoms or accept data loss. This technique is commonly observed immediately before ransomware encryption begins, during data destruction attacks (wipers), and as part of anti-forensic activities where attackers eliminate evidence or access paths. Legitimate share removal by IT administrators follows documented change management processes, making unexpected deletions high-confidence indicators of malicious intent or insider threats.
Severity
Trouble
Rule journey
Attack chain scenario
Impact → Network Share Deletion → Access Disruption → Recovery Impairment.
Impact
Disrupted network access, hidden attacker activity, impaired recovery capabilities during ransomware attacks.
Rule Requirement
Prerequisites
Enable Process Creation auditing (Event ID 4688) or Sysmon Event ID 1.
Criteria
Action1: actionname = "Process started" AND ( PROCESSNAME endswith "net.exe" OR ORIGINALFILENAME = "net.exe" OR PROCESSNAME endswith "net1.exe" OR ORIGINALFILENAME = "net1.exe" ) AND ( COMMANDLINE contains "share" AND COMMANDLINE contains "/delete" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.PARENTPROCESSCOMMANDLINE,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action1.DOMAIN
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Indicator Removal - Network Share Connection Removal (T1070.005) Impact: Account Access Removal (T1531)
Future actions
Known False Positives
IT Admin might perform this action legitimately, recommended to add filter as required based on your environment.
Next Steps
- Identification: Identify which network shares were deleted and by whom.
- Analysis: Determine if the deletion was authorized and part of legitimate maintenance.
- Response: Restore shares if unauthorized and investigate the deletion source.
