# Map Network Drive MRU

## Overview

**Evidence:** Map Network Drive MRU\
**Description:** Enumerate Map Network Drive MRU\
**Category:** System\
**Platform:** windows\
**Short Name:** mapnetmru\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Windows maintains a history of network shares that users have mapped using the "Map Network Drive" feature in Windows Explorer. This MRU list records UNC paths to network shares, providing evidence of network resource access and lateral movement.

Network share mappings can reveal access to file servers, administrative shares, and other network resources that may be relevant to data exfiltration or lateral movement investigations.

## Data Collected

This collector gathers structured data about map network drive mru.

### Map Network Drive MRU Data

| Field           | Description                  | Example                                                                  |
| --------------- | ---------------------------- | ------------------------------------------------------------------------ |
| `KeyPath`       | Registry key path            | Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU |
| `LastWriteTime` | Registry key last write time | 2023-10-15T14:30:00                                                      |
| `Value`         | MRU value name               | a                                                                        |
| `Username`      | User account name            | user                                                                     |
| `FileName`      | UNC path to network share    | \fileserver\share\folder                                                 |
| `MRUPosition`   | Position in MRU list         | 0                                                                        |
| `RegPath`       | Path to registry hive        | Registry/ntuser.dat                                                      |

## Collection Method

This collector:

* Collects user registry hives (ntuser.dat)
* Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU`
* Parses MRUList string to determine access order
* Extracts UNC paths from registry values
* Orders by MRU position (most recent first)

## Forensic Value

Mapped network drive history reveals network resource access and can indicate lateral movement. Investigators use this data to identify accessed network shares, detect lateral movement paths, track file server access, identify administrative share usage, correlate with SMB network connections, and detect data exfiltration paths.