During a recent investigation I came across a process communicating with a file path of
z:\. Knowing most likely this was a mapped network share I had no idea how to obtain the mapped address. Below are the instructions to pull this information out of the windows registry.
First you'll have to identify the target users SID. You can achieve this with
wmic useraccount get name,sid Administrator S-1-5-21-1180699209-877415012-3182924384-500 Guest S-1-5-21-1180699209-877415012-3182924384-501 HomeGroupUser$ S-1-5-21-1180699209-877415012-3182924384-1002
Once you have the SID run the following
reg query "HKEY_USERS\[SID]\Network" /s HKEY_USERS\[SID]\Network\Y RemotePath REG_SZ \\server1\share UserName REG_DWORD 0x0 ProviderName REG_SZ Microsoft Windows Network ProviderType REG_DWORD 0x20000 ConnectionType REG_DWORD 0x1 DeferFlags REG_DWORD 0x1 HKEY_USERS\[SID]\Network\Z RemotePath REG_SZ \\server2\temp UserName REG_DWORD 0x0 ProviderName REG_SZ Microsoft Windows Network ProviderType REG_DWORD 0x20000 ConnectionType REG_DWORD 0x1 DeferFlags REG_DWORD 0x4
You can see the mapped addresses under
RemotePath. Hopefully this comes in handy.