During a recent investigation I came across a process communicating with a file path of z:\. Knowing most likely this was a mapped network share I had no idea how to obtain the mapped address. Below are the instructions to pull this information out of the windows registry.
First you’ll have to identify the target users SID. You can achieve this with wmic:
wmic useraccount get name,sid
Administrator S-1-5-21-1180699209-877415012-3182924384-500
Guest S-1-5-21-1180699209-877415012-3182924384-501
HomeGroupUser$ S-1-5-21-1180699209-877415012-3182924384-1002Once you have the SID run the following reg query:
reg query "HKEY_USERS\[SID]\Network" /s
HKEY_USERS\[SID]\Network\Y
RemotePath REG_SZ \\server1\share
UserName REG_DWORD 0x0
ProviderName REG_SZ Microsoft Windows Network
ProviderType REG_DWORD 0x20000
ConnectionType REG_DWORD 0x1
DeferFlags REG_DWORD 0x1
HKEY_USERS\[SID]\Network\Z
RemotePath REG_SZ \\server2\temp
UserName REG_DWORD 0x0
ProviderName REG_SZ Microsoft Windows Network
ProviderType REG_DWORD 0x20000
ConnectionType REG_DWORD 0x1
DeferFlags REG_DWORD 0x4You can see the mapped addresses under RemotePath. Hopefully this comes in handy.