T1070.005: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. [1]
Analyst context for executives and security teams
Network Share Connection Removal is a Windows stealth behavior where an adversary removes SMB or shared-drive connections after they are no longer useful. For leaders, the risk is not the disconnect itself; it is that evidence of lateral access to file shares or admin shares may become harder to reconstruct during an incident.
Executive priority
Treat this as an evidence-preservation and incident-scoping concern. If the organization relies on Windows shares, SMB access, or admin shares for operations, security leaders should confirm that SOC and IR teams can still reconstruct who connected to what, when, and from where after share connections are removed. This supports breach scoping, audit evidence, ransomware readiness, and decisions about containment across Windows environments.
Technical view
This is a Windows sub-technique of Indicator Removal under the stealth tactic. MITRE notes that utilities such as Net can remove network share connections, and relationship context links DET0103 to behavioral detection via command-line activity and SMB disconnects. SOC teams should validate visibility into process creation and command-line arguments for share connection removal, plus SMB/session telemetry that shows connection creation and disconnection. Detection should be correlated with prior share mapping, access to Windows Admin Shares, lateral movement context, and subsequent cleanup behavior.
Likely telemetry
- Windows process creation events including command-line arguments for built-in utilities such as Net
- SMB client/server connection, session, and disconnect logs where available
- Authentication and logon events associated with remote share access
- File share access records for mapped drives, administrative shares, or sensitive shares
- Endpoint telemetry showing parent process, user context, host, and timing around share connection removal
Detection direction
- Validate behavioral detections for share connection removal through CLI activity and SMB disconnect/session-close patterns, as indicated by DET0103.
- Correlate removal events with earlier network share connections rather than alerting only on the disconnect event in isolation.
- Tune for legitimate administrative scripts, logoff cleanup, mapped-drive maintenance, and helpdesk activity to reduce false positives.
- Prioritize higher-risk context: unusual users, unusual hosts, administrative shares, sensitive file servers, or removal shortly after remote access activity.
- Check blind spots where command-line logging, endpoint telemetry, SMB server logging, or log retention is incomplete.
Mitigation priorities
- No official mitigation text was supplied for this object, so prioritize defensive readiness rather than assuming a single preventive control.
- Ensure Windows endpoint and file-share telemetry is centrally collected and retained for IR scoping.
- Limit unnecessary access to administrative shares and sensitive network shares using least privilege.
- Review administrative scripts and normal share-disconnect behavior so detections can distinguish routine operations from suspicious cleanup.
- Include share connection creation and removal evidence in incident response playbooks for Windows lateral movement investigations.
Analyst notes and limits
The ATT&CK object has no official detection text, but relationship context includes DET0103 for behavioral detection of network share connection removal via CLI and SMB disconnects. Related objects include the Windows Net utility and several group/software relationships, which support defensive prioritization but should not be interpreted as current activity or customer exposure.
This take is based only on the supplied ATT&CK fields and relationships. Local validation is required to determine whether relevant Windows process, SMB, authentication, and file-share telemetry exists and is retained. The supplied data does not provide environment-specific prevalence, active exploitation status, or guaranteed detection logic.
Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\share /delete command. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1126 | Network Share Connection Removal | Network Share Connection Removal revoked by this object. |
| Enterprise | T1070 | Indicator Removal | This object subtechnique of Indicator Removal. |
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0400: RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]
S1159: DUSTTRAP
S0260: InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | d6e62762fdda… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Technet Net Use
Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.
Open source URL -
[2]
mitre-attack T1070.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.