Network Share

Registry:

Hard Evidence of Network Share Presence:

Mapped network drive Most-Recently Used (MRU) items

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\Map

Network Drive MRU • Mapped network drives (Network Drive Wizard)

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Currently Mapped Shares

  • HKCU\<SID>\Network\<Drive Letter>

  • HKEY_USERS\<SID>\Network\<Drive Letter>

All open shares on a system

  • HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

User connected to specific machines on LAN

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

These entries consist of hard evidence that the network share is mapped to this computer.

Soft Evidence of Network Share (share reference):

Items typed into the Windows Run dialog by the user

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Words typed into the Windows Explorer

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

  • HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Shellbags:

NTUSER.DAT

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

USRCLASS.DAT

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

UAL:

Leverage UALs located on DCs to map SMB traffic from a specific user to machines on the domain.

RoleGuid

TotalAccesses

InsertDate

LastAccess

AuthenticatedUserName

10a9226f-50ee-49d8-a393-9a501d47ce04

1

2019-03-12T18:06:56Z

2019-03-12T18:06:56Z

DOMAIN\User1

Event Logs

Default Logging - Source Host

  • 4648: A logon was attempted using explicit credentials.

Default Logging - Destination Host

Below 3 event IDs should all happen simultaneously.

  • 4776 — The computer attempted to validate the credentials for an account

  • 4672 — Special privileges assigned to new logon

  • 4624 (Type 3) — An account was successfully logged on

Advanced Logging

While Event IDs 5140 and 5145 are useful, they are merely a part of the “Object Access” audit category in Active Directory. You can use auditpol.exe to enable all events within the Object Access category, as such:

auditpol /set /category:"Object Access" /success:enable
  • 5140(S, F): A network share object was accessed.

  • 5142(S): A network share object was added.

  • 5143(S): A network share object was modified.

  • 5144(S): A network share object was deleted.

  • 5145(S): A network share object was checked to see whether client can be granted desired access (Synchronize, ReadData, ListDirectory, ReadAttribute).

  • 5168(F): SPN check for SMB/SMB2 failed

Live Triage:

Net Share:

  • Can be used to show shares being hosted by the host.

C:\Users\user>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
E$           E:\                             Default share
F$           F:\                             Default share
H$           H:\                             Default share
I$           I:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\WINDOWS                      Remote Admin

Net Use:

  • Display shares that the host has connected/mapped to.

Last updated