Detections
- Home
- - Detections
- -DT083
- ID: DT083
- Created: 25th July 2024
- Updated: 25th July 2024
- Platform: Windows
- Contributor: Ismael Briones-Vilar
Map Network Drive MRU
The MRU (Most Recently Used) Map Network Drive is a Windows registry key located at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
. This key stores information about recently mapped network drives. By examining the entries in this key, investigators can identify which network drives were mapped by the computer to which drive letter.
Sections
ID | Name | Description |
---|---|---|
IF004.003 | Exfiltration via Personal NAS Device | A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data. |
IF027.002 | Ransomware Deployment | The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.
Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.
In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive. |