Event ID 5143 — A network share object was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File Share
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

A network share object was modified.

Message #

A network share object was modified.
	
Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Share Information:
	Object Type: %5
	Share Name: %6
	Share Path: %7
	Old Remark: %8
	New Remark: %9
	Old MaxUsers: %10
	New Maxusers: %11
	Old ShareFlags: %12
	New ShareFlags: %13
	Old SD: %14
	New SD: %15

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`ObjectType` UnicodeString	[Share Information] Object Type
`ShareName` UnicodeString	[Share Information] Share Name
`ShareLocalPath` UnicodeString	[Share Information] Share Path
`OldRemark` UnicodeString	[Share Information] Old Remark
`NewRemark` UnicodeString	[Share Information] New Remark
`OldMaxUsers` HexInt32	[Share Information] Old MaxUsers
`NewMaxUsers` HexInt32	[Share Information] New Maxusers
`OldShareFlags` HexInt32	[Share Information] Old ShareFlags
`NewShareFlags` HexInt32	[Share Information] New ShareFlags
`OldSD` UnicodeString	[Share Information] Old SD
`NewSD` UnicodeString	[Share Information] New SD

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5143,
    "version": 0,
    "level": 0,
    "task": 12808,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-11T17:17:32.128132Z",
    "event_record_id": 1228290,
    "correlation": {},
    "execution": {
      "process_id": 464,
      "thread_id": 472
    },
    "channel": "Security",
    "computer": "fs02.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x202dac8",
    "ObjectType": "Directory",
    "ShareName": "\\\\*\\hidden-share$",
    "ShareLocalPath": "C:\\TOOLS\\hidden-share$",
    "OldRemark": "N/A",
    "NewRemark": "N/A",
    "OldMaxUsers": "0xffffffff",
    "NewMaxUsers": "0xffffffff",
    "OldShareFlags": "0x0",
    "NewShareFlags": "0x0",
    "OldSD": "O:BAG:DUD:(A;;0x1200a9;;;WD)",
    "NewSD": "O:BAG:DUD:(A;;FA;;;S-1-5-21-4230534742-2542757381-3142984815-1107)(A;;0x1301bf;;;WD)"
  }
}

Detection Rules #

View all rules referencing this event →

Kusto Query Language # view in reference

Excessive share permissions source medium: The query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. domaincontroller netlogon, printserver print$ etc.). The share permissions are then checked against 'allow' rule (A) for a number of well known overly permissive groups, like all users, guests, authenticated users etc. If these are found, an alert is raised so the share creation may be audited. Note: this rule only checks for changed permissions, to prevent repeat alerts if for example a comment is changed, but the permissions are not altered.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5143
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx