Event ID 5142 — A network share object was added.
Description
A network share object was added.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5142,
"version": 0,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-17T19:30:30.324836Z",
"event_record_id": 6273,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 64
},
"channel": "Security",
"computer": "PC04.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-3583694148-1414552638-2922671848-1000",
"SubjectUserName": "IEUser",
"SubjectDomainName": "PC04",
"SubjectLogonId": "0x128a9",
"ShareName": "\\\\*\\PRINT",
"ShareLocalPath": "c:\\windows\\system32"
}
}
Community Notes #
May be a prelude to data exfiltration. Includes named pipes and IPC$ (confirm if the client address is external/unexpected). May indicate share enumeration and directory walking prior to exfiltration. The RelativeTargetName field may show the original file name and path on the attacker's machine.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5142
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx