Map Network Drive MRU

Overview

Evidence: Map Network Drive MRU
Description: Enumerate Map Network Drive MRU
Category: System
Platform: windows
Short Name: mapnetmru
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Windows maintains a history of network shares that users have mapped using the “Map Network Drive” feature in Windows Explorer. This MRU list records UNC paths to network shares, providing evidence of network resource access and lateral movement.

Network share mappings can reveal access to file servers, administrative shares, and other network resources that may be relevant to data exfiltration or lateral movement investigations.

Data Collected

This collector gathers structured data about map network drive mru.

Map Network Drive MRU Data

Field	Description	Example
`KeyPath`	Registry key path	Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
`LastWriteTime`	Registry key last write time	2023-10-15T14:30:00
`Value`	MRU value name	a
`Username`	User account name	user
`FileName`	UNC path to network share	\fileserver\share\folder
`MRUPosition`	Position in MRU list	0
`RegPath`	Path to registry hive	Registry/ntuser.dat

Collection Method

This collector:

Collects user registry hives (ntuser.dat)
Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Parses MRUList string to determine access order
Extracts UNC paths from registry values
Orders by MRU position (most recent first)

Forensic Value

Mapped network drive history reveals network resource access and can indicate lateral movement. Investigators use this data to identify accessed network shares, detect lateral movement paths, track file server access, identify administrative share usage, correlate with SMB network connections, and detect data exfiltration paths.