📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Registry:
  • Hard Evidence of Network Share Presence:
  • Soft Evidence of Network Share (share reference):
  • UAL:
  • Event Logs
  • Default Logging - Source Host
  • Default Logging - Destination Host
  • Advanced Logging
  • Live Triage:
  • Net Share:
  • Net Use:
  1. Windows
  2. Forensics

Network Share

Registry:

Hard Evidence of Network Share Presence:

Mapped network drive Most-Recently Used (MRU) items

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\Map

Network Drive MRU • Mapped network drives (Network Drive Wizard)

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Currently Mapped Shares

  • HKCU\<SID>\Network\<Drive Letter>

  • HKEY_USERS\<SID>\Network\<Drive Letter>

All open shares on a system

  • HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

User connected to specific machines on LAN

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

These entries consist of hard evidence that the network share is mapped to this computer.

Soft Evidence of Network Share (share reference):

Items typed into the Windows Run dialog by the user

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Words typed into the Windows Explorer

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Shellbags:

NTUSER.DAT

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

USRCLASS.DAT

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

These can be leveraged to show the existence or reference of network shares that the TA attempted to navigate to on the host. Consists of references to the shares by typed keywords from the TA or navigated to directories.

UAL:

Leverage UALs located on DCs to map SMB traffic from a specific user to machines on the domain.

RoleGuid

TotalAccesses

InsertDate

LastAccess

AuthenticatedUserName

10a9226f-50ee-49d8-a393-9a501d47ce04

1

2019-03-12T18:06:56Z

2019-03-12T18:06:56Z

DOMAIN\User1

Event Logs

Default Logging - Source Host

  • 4648: A logon was attempted using explicit credentials.

Default Logging - Destination Host

Below 3 event IDs should all happen simultaneously.

  • 4776 — The computer attempted to validate the credentials for an account

  • 4672 — Special privileges assigned to new logon

  • 4624 (Type 3) — An account was successfully logged on

Advanced Logging

While Event IDs 5140 and 5145 are useful, they are merely a part of the “Object Access” audit category in Active Directory. You can use auditpol.exe to enable all events within the Object Access category, as such:

auditpol /set /category:"Object Access" /success:enable
  • 5140(S, F): A network share object was accessed.

  • 5142(S): A network share object was added.

  • 5143(S): A network share object was modified.

  • 5144(S): A network share object was deleted.

  • 5145(S): A network share object was checked to see whether client can be granted desired access (Synchronize, ReadData, ListDirectory, ReadAttribute).

  • 5168(F): SPN check for SMB/SMB2 failed

Live Triage:

Net Share:

  • Can be used to show shares being hosted by the host.

C:\Users\user>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
E$           E:\                             Default share
F$           F:\                             Default share
H$           H:\                             Default share
I$           I:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\WINDOWS                      Remote Admin

Net Use:

  • Display shares that the host has connected/mapped to.

PreviousPage 5NextExfiltration

Last updated 1 year ago

How to Leverage User Access Logging for Forensic Investigationscrowdstrike.com
Logo
Detecting Lateral Movement 101: Tracking movement SMB/Windows Admin Shares through Windows Log…Medium
Logo