Network Share Connection Removal - veramine/Detections GitHub Wiki
Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1126.
The Veramine product detects this type of behavior by flagging commands run that are often used by attackers and rarely executed by normal users. This type of detection mechanism sweeps up a wide variety of both authorized and unauthorized behavior. This algorithm is not specifically focused on detecting the removal of network shares but instead it captures many different legitimate commands that may be attractive to attackers. Therefore, this "bucket" of detection results is best used to gain additional insight into behavior flagged separately by other detection methods. Here's an example of the types of commands that are flagged by this algorithm:
