Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
Keep calm and we will be with you shortly!

Map drives when connecting to corporate network

In every modern management project where we use Azure AD Join instead of traditional domain join, there are always some network drives that needs to be mapped for the end users. Not very modern I know but there is a real world out there as well.
When we use a modern client using sleep or hibernate is the new way to work. Running a script at logon isn’t enough we need to be more flexible.
There are a great number of great logon script samples out there so I will not go down that way. Instead adding a trigger to a scheduled task to run when we connect to a network with a specific name, is a useful addition which makes the end-user experience much better.

Here is a short demo on how to map drives when connecting to corporate network.

But wait! No blue PowerShell splash screen was in the video.
I use PSRun.exe that my colleague Johan Schrewelius has written which you can find here: PSRun suppresses the PowerShell splash screen and passes all commands that you execute PSRun with directly to PowerShell.

To achieve this, we add a trigger to our schedule task so we have two triggers on it, one to run at logon and one custom that runs when connected to a network with a specific name. It looks like this:

Schedule Task triggers

The custom event filter contains the network name for which we will use to trigger the script when connected to.

Custom event filter

The scripts

I wrote a simple sample script to import the schedule task and copy the simple script I used to map the drives to C:\Program Files\ConnectDrives. It also writes to the registry so there is a registry key and value. Which can be used as a detection method when deploying it using Win32App on our modern clients.

    Name: Install.ps1 
    Version: 1.0
    Author: Jörgen Nilsson
    Date: 2020-11-15

[string]$RegKeyName = "ConnectDrives"
[string]$FullRegKeyName = "HKLM:\SOFTWARE\ccmexec\" + $regkeyname 
[string]$InstallPath = "$env:ProgramFiles\ConnectDrives"

# Create registry value if it doesn't exist
If (!(Test-Path $FullRegKeyName)) {
    New-Item -Path $FullRegKeyName -type Directory -force 
    New-itemproperty $FullRegKeyName -Name "Connectdrives" -Value "1" -Type STRING -Force
If (!(Test-Path $InstallPath)) {
    New-Item -Path $InstallPath -type Directory -force 

Copy-Item -Path "$PSScriptRoot\ConnectDrives.ps1" -Destination $InstallPath -Recurse -Force
Copy-Item -Path "$PSScriptRoot\psrun.exe" -Destination $InstallPath -Recurse -Force

# Creates ScheduleTask
Register-ScheduledTask -Xml (get-content $PSScriptRoot\ConnectDrives.xml | out-string) -TaskName "ConnectDrives"

The script I used to map the drives:

If (!(Test-Path G:)) {
   New-PSDrive G -PSProvider FileSystem -Persist -Root "\\d00001\share"

If (!(Test-Path M:)) {
   New-PSDrive M -PSProvider FileSystem -Persist -Root "\\d00001\sources"

Registry key/value configured by the script:

Registry key an value

The files in the script:

Files in the install folder

The scripts can be downloaded here:

PSRun needs to be downloaded from here and copied to the folder:

I hope this is useful!