Network Shares

Overview

Evidence: Network Shares Description: Collect Information About Network Shares Category: Network Platform: Windows Short Name: netshr Is Parsed: Yes - Share enumeration parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows systems can share folders, printers, and other resources over the network via SMB/CIFS. Each share has a name, local path, permissions, and connection information.

Share enumeration can reveal unauthorized file shares, administrative shares, and data exfiltration staging points.

Data Collected

Collection Method

This collector uses Windows Network API:

• NetShareEnum with level 502 (detailed information)

• Enumerates all shares including hidden administrative shares

• Extracts share configuration and permissions

Share types include:

• STYPE_DISKTREE: Disk share

• STYPE_PRINTQ: Print queue

• STYPE_DEVICE: Communication device

• STYPE_IPC: Interprocess communication

• STYPE_SPECIAL: Special share (C$, ADMIN$, etc.)

• STYPE_TEMPORARY: Temporary share

Usage

Network share enumeration reveals potential data exposure and lateral movement paths. Investigators use this data to identify unauthorized file shares, detect administrative share access, track shared resource exposure, identify data exfiltration staging, detect lateral movement infrastructure, and audit share permissions and configuration.

Known Limitations

• Only shows currently configured shares

• Doesn't show historical shares

• Share access auditing requires event logs

• Permissions may be complex to interpret

Notes

Administrative shares (C$, ADMIN$, IPC$) are created by default on Windows. Custom shares should be investigated for authorization and purpose. Special/hidden shares (ending with $) warrant additional scrutiny.