Network Shares

Overview

Evidence: Network Shares Description: Collect information about network shares Category: Network Platform: windows Short Name: netshr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows systems can share folders, printers, and other resources over the network via SMB/CIFS. Each share has a name, local path, permissions, and connection information.

Share enumeration can reveal unauthorized file shares, administrative shares, and data exfiltration staging points.

Data Collected

This collector gathers structured data about network shares.

Network Shares Data

Field

Description

Example

Name

Share name

SharedDocs

Type

Share type

Disk, Special, Temporary

Comments

Share description

Shared documents folder

Permissions

Share permissions

Path

Local path being shared

C:\SharedDocs

Password

Share password (if any)

Connections

Current connection count

Collection Method

This collector uses Windows Network API:

NetShareEnum with level 502 (detailed information)
Enumerates all shares including hidden administrative shares
Extracts share configuration and permissions

Share types include:

STYPE_DISKTREE: Disk share
STYPE_PRINTQ: Print queue
STYPE_DEVICE: Communication device
STYPE_IPC: Interprocess communication
STYPE_SPECIAL: Special share (C$, ADMIN$, etc.)
STYPE_TEMPORARY: Temporary share

Forensic Value

Network share enumeration reveals potential data exposure and lateral movement paths. Investigators use this data to identify unauthorized file shares, detect administrative share access, track shared resource exposure, identify data exfiltration staging, detect lateral movement infrastructure, and audit share permissions and configuration.

PreviousNetwork Adapters NextNotepad++ Sessions

Last updated 3 days ago

Was this helpful?