Network Share

Registry:

Hard Evidence of Network Share Presence:

Mapped network drive Most-Recently Used (MRU) items

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map

• HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\Map

Network Drive MRU • Mapped network drives (Network Drive Wizard)

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

• HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Currently Mapped Shares

• HKCU\<SID>\Network\<Drive Letter>

• HKEY_USERS\<SID>\Network\<Drive Letter>

All open shares on a system

• HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

User connected to specific machines on LAN

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

• HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

These entries consist of hard evidence that the network share is mapped to this computer.

Soft Evidence of Network Share (share reference):

Items typed into the Windows Run dialog by the user

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

• HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Words typed into the Windows Explorer

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

• HKEY_USERS\<SID>\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Shellbags:

NTUSER.DAT

• NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

• NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

USRCLASS.DAT

• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

These can be leveraged to show the existence or reference of network shares that the TA attempted to navigate to on the host. Consists of references to the shares by typed keywords from the TA or navigated to directories.

UAL:

Leverage UALs located on DCs to map SMB traffic from a specific user to machines on the domain.

RoleGuid	TotalAccesses	InsertDate	LastAccess	AuthenticatedUserName
10a9226f-50ee-49d8-a393-9a501d47ce04	1	2019-03-12T18:06:56Z	2019-03-12T18:06:56Z	DOMAIN\User1

How to Leverage User Access Logging for Forensic Investigationscrowdstrike.com

Event Logs

Default Logging - Source Host

• 4648: A logon was attempted using explicit credentials.

Default Logging - Destination Host

Below 3 event IDs should all happen simultaneously.

• 4776 — The computer attempted to validate the credentials for an account

• 4672 — Special privileges assigned to new logon

• 4624 (Type 3) — An account was successfully logged on

Detecting Lateral Movement 101: Tracking movement SMB/Windows Admin Shares through Windows Log…Medium

Advanced Logging

While Event IDs 5140 and 5145 are useful, they are merely a part of the “Object Access” audit category in Active Directory. You can use auditpol.exe to enable all events within the Object Access category, as such:

auditpol /set /category:"Object Access" /success:enable

• 5140(S, F): A network share object was accessed.

• 5142(S): A network share object was added.

• 5143(S): A network share object was modified.

• 5144(S): A network share object was deleted.

• 5145(S): A network share object was checked to see whether client can be granted desired access (Synchronize, ReadData, ListDirectory, ReadAttribute).

• 5168(F): SPN check for SMB/SMB2 failed

Live Triage:

Net Share:

• Can be used to show shares being hosted by the host.

C:\Users\user>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
E$           E:\                             Default share
F$           F:\                             Default share
H$           H:\                             Default share
I$           I:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\WINDOWS                      Remote Admin

Net Use:

• Display shares that the host has connected/mapped to.