DET0103: Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects
This detection strategy matters because removal of network share connections can be a cleanup behavior after an intruder has used Windows file shares or ad...
Analyst context for executives and security teams
This detection strategy matters because removal of network share connections can be a cleanup behavior after an intruder has used Windows file shares or administrative shares. For leaders, the value is not just spotting a command; it is confirming whether the SOC can see when access paths used during an intrusion are being disconnected to reduce evidence or visibility.
Executive priority
Prioritize this as a validation point for Windows intrusion readiness and post-activity cleanup detection. It supports incident decision-making by helping teams identify when an actor may be ending or concealing network share activity. Executives should ask whether endpoint, command-line, and SMB/session telemetry is retained long enough to reconstruct share connection use and removal during investigations.
Technical view
The supplied ATT&CK relationship says DET0103 detects T1070.005, Network Share Connection Removal, a Windows stealth technique. SOC and detection engineering teams should validate correlation between command-line driven share removal behavior and SMB or Windows share disconnect events. Because the detection strategy object itself has no official description, detection text, tactics, or platforms, implementation should be anchored to the related technique context and local Windows telemetry availability.
Likely telemetry
- Windows process creation and command-line telemetry for share management utilities
- Endpoint logs showing user, host, parent process, and execution context
- SMB session, share connection, or disconnect telemetry where available
- Windows security or file sharing audit events relevant to network share access and teardown
- EDR or SIEM correlation data linking prior share access to later connection removal
Detection direction
- Validate visibility into command-line share removal activity and distinguish administrative maintenance from unusual cleanup behavior.
- Correlate share removal with preceding access to Windows shared drives or administrative shares, especially from unusual users, hosts, or sessions.
- Tune for context: legitimate IT scripts and helpdesk activity may remove mapped shares and can create false positives.
- Look for blind spots where command-line logging is disabled, SMB/session telemetry is not collected, or logs are not retained through the investigation window.
- Use the relationship to T1070.005 as the analytic anchor; the detection strategy object does not provide official detection logic.
Mitigation priorities
- Ensure Windows endpoint logging captures process creation, command-line arguments, user context, and parent-child process relationships where policy permits.
- Enable and retain relevant file sharing, SMB/session, and security audit telemetry needed for incident reconstruction.
- Document approved administrative share management patterns so SOC teams can suppress known-good activity without hiding suspicious cleanup.
- Review access controls and administrative share usage to reduce unnecessary exposure and improve investigation clarity.
- Test incident response playbooks against scenarios where share connections are created and later removed.
Analyst notes and limits
DET0103 is a detection strategy for behavior associated with Network Share Connection Removal. The strongest practical use is as a coverage assessment: can the organization see both the endpoint command activity and the network/share disconnect evidence needed to explain what happened before cleanup?
The supplied detection strategy has no official description, no official detection guidance, no tactics, and no platforms specified. Platform and behavior context comes only from the relationship to T1070.005, which identifies Windows network share connection removal as a stealth technique. Local logging configuration is required to determine actual coverage.
Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.005 | Network Share Connection Removal Sub-technique | This object detects Network Share Connection Removal. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fa08bc606c41… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0103Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.