Event ID 5140 — A network share object was accessed.
Description
A network share object was accessed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectType UnicodeString | [Network Information] Object Type |
IpAddress UnicodeString | [Network Information] Source Address |
IpPort UnicodeString | [Network Information] Source Port |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
AccessMask HexInt32 | [Access Request Information] Access Mask Access mask reference |
AccessList UnicodeString | [Access Request Information] Accesses |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5140,
"version": 1,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:51:58.721534+00:00",
"event_record_id": 300935,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 17692
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"ObjectType": "File",
"IpAddress": "::1",
"IpPort": "62726",
"ShareName": "\\\\*\\C$",
"ShareLocalPath": "\\??\\C:\\",
"AccessMask": "0x1",
"AccessList": "%%4416\r\n\t\t\t\t"
},
"message": ""
}
Detection Patterns #
Community Notes #
Tracks who is accessing shared folders on the network. Very noisy.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Access To ADMIN$ Network Share source low: Detects access to ADMIN$ network share
Splunk # view in reference
- Network Share Discovery Via Dir Command source: The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140
- Example event sourced from https://github.com/NextronSystems/evtx-baseline