Network Shares
Overview
Section titled “Overview”Evidence: Network Shares
Description: Collect information about network shares
Category: Network
Platform: windows
Short Name: netshr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows systems can share folders, printers, and other resources over the network via SMB/CIFS. Each share has a name, local path, permissions, and connection information.
Share enumeration can reveal unauthorized file shares, administrative shares, and data exfiltration staging points.
Data Collected
Section titled “Data Collected”This collector gathers structured data about network shares.
Network Shares Data
Section titled “Network Shares Data”| Field | Description | Example |
|---|---|---|
Name | Share name | SharedDocs |
Type | Share type | Disk, Special, Temporary |
Comments | Share description | Shared documents folder |
Permissions | Share permissions | 0 |
Path | Local path being shared | C:\SharedDocs |
Password | Share password (if any) | |
Connections | Current connection count | 3 |
Collection Method
Section titled “Collection Method”This collector uses Windows Network API:
NetShareEnumwith level 502 (detailed information)- Enumerates all shares including hidden administrative shares
- Extracts share configuration and permissions
Share types include:
- STYPE_DISKTREE: Disk share
- STYPE_PRINTQ: Print queue
- STYPE_DEVICE: Communication device
- STYPE_IPC: Interprocess communication
- STYPE_SPECIAL: Special share (C$, ADMIN$, etc.)
- STYPE_TEMPORARY: Temporary share
Forensic Value
Section titled “Forensic Value”Network share enumeration reveals potential data exposure and lateral movement paths. Investigators use this data to identify unauthorized file shares, detect administrative share access, track shared resource exposure, identify data exfiltration staging, detect lateral movement infrastructure, and audit share permissions and configuration.