Network shares are designed to exchange files between hosts in the network. There are some critical network shares, such as SYSVOL on domain controllers or %systemdrive%$ on hosts. Changes to these are important to monitor.

Named pipes is a mechanism designed for communications between processes and applications within a host or over a network. In this chapter you will find information about monitoring for actions related to network file shares and named pipes.

Network File Shares

A network file share is a common mechanism to share files on a Windows host with other hosts. The Common Internet File System (CIFS) and Server Message Block (SMB) protocols are used for communications with network file shares. The CIFS protocol is considered legacy, and currently different versions of the SMB protocol are the most commonly used for network share access operations and interactions.

Network shares can be accessed via the network using, for example, Windows File Explorer, with the path format \\SERVER\SHARE_NAME, where:

• SERVER can be an IP address of the target host, NetBIOS name, or DNS name.
• SHARE_NAME represents the name of the network file share.

To get a list of shares available on the local machine, you can use the NET SHARE command. Figure 15-1 shows an example of the NET SHARE command output.