Map Network Drive MRU

Overview

Evidence: Map Network Drive MRU Description: Enumerate Map Network Drive MRU Category: Registry Platform: Windows Short Name: mapnetmru Is Parsed: Yes - MRU data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a history of network shares that users have mapped using the "Map Network Drive" feature in Windows Explorer. This MRU list records UNC paths to network shares, providing evidence of network resource access and lateral movement.

Network share mappings can reveal access to file servers, administrative shares, and other network resources that may be relevant to data exfiltration or lateral movement investigations.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

• Parses MRUList string to determine access order

• Extracts UNC paths from registry values

• Orders by MRU position (most recent first)

Usage

Mapped network drive history reveals network resource access and can indicate lateral movement. Investigators use this data to identify accessed network shares, detect lateral movement paths, track file server access, identify administrative share usage, correlate with SMB network connections, and detect data exfiltration paths.

Known Limitations

• Only tracks explicitly mapped drives

• Doesn't capture UNC paths accessed directly

• Limited number of entries retained

• Can be cleared by user or privacy tools

• Disconnected shares still appear in history

Notes

Administrative shares (C$, ADMIN$) in this MRU can indicate privileged operations or lateral movement. Cross-reference with network share information from the Network collector.