Map Network Drive MRU

Overview

Evidence: Map Network Drive MRU Description: Enumerate Map Network Drive MRU Category: System Platform: windows Short Name: mapnetmru Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a history of network shares that users have mapped using the "Map Network Drive" feature in Windows Explorer. This MRU list records UNC paths to network shares, providing evidence of network resource access and lateral movement.

Network share mappings can reveal access to file servers, administrative shares, and other network resources that may be relevant to data exfiltration or lateral movement investigations.

Data Collected

This collector gathers structured data about map network drive mru.

Map Network Drive MRU Data

Field

Description

Example

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Value

MRU value name

Username

User account name

user

FileName

UNC path to network share

\fileserver\share\folder

MRUPosition

Position in MRU list

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Parses MRUList string to determine access order
Extracts UNC paths from registry values
Orders by MRU position (most recent first)

Forensic Value

Mapped network drive history reveals network resource access and can indicate lateral movement. Investigators use this data to identify accessed network shares, detect lateral movement paths, track file server access, identify administrative share usage, correlate with SMB network connections, and detect data exfiltration paths.

PreviousMalwareBytes Logs NextMBR

Last updated 3 days ago

Was this helpful?