Event ID 5145 — A network share object was checked to see whether client can be granted desired access.
Description
A network share object was checked to see whether client can be granted desired access.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectType UnicodeString | [Network Information] Object Type |
IpAddress UnicodeString | [Network Information] Source Address |
IpPort UnicodeString | [Network Information] Source Port |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
RelativeTargetName UnicodeString | [Share Information] Relative Target Name |
AccessMask HexInt32 | [Access Request Information] Access Mask Access mask reference |
AccessList UnicodeString | [Access Request Information] Accesses |
AccessReason UnicodeString | — Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5145,
"version": 0,
"level": 0,
"task": 12811,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:51:58.765174+00:00",
"event_record_id": 300953,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 20724
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"ObjectType": "File",
"IpAddress": "::1",
"IpPort": "62726",
"ShareName": "\\\\*\\C$",
"ShareLocalPath": "\\??\\C:\\",
"RelativeTargetName": "Users\\User\\Downloads",
"AccessMask": "0x100081",
"AccessList": "%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4423\r\n\t\t\t\t",
"AccessReason": "-"
},
"message": ""
}
Detection Patterns #
Named Pipe
Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
13 rules
Sigma
Splunk
Show 2 more (5 total)
Startup Logon Script Added
Relay Attack Against
Discovery: Network Share Discovery
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Remote Task Creation via ATSVC Named Pipe source medium: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
- DCERPC SMB Spoolss Named Pipe source medium: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security source high: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Show 12 more (15 total)
- Impacket PsExec Execution source high: Detects execution of Impacket's psexec.py.
- Possible Impacket SecretDump Remote Activity source high: Detect AD credential dumping using impacket secretdump HKTL
- First Time Seen Remote Named Pipe source high: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
- Windows Network Access Suspicious desktop.ini Action source medium: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
- Possible PetitPotam Coerce Authentication Attempt source high: Detect PetitPotam coerced authentication activity.
- Protected Storage Service Access source high: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
- SMB Create Remote File Admin Share source high: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
- Suspicious PsExec Execution source high: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
- Suspicious Access to Sensitive File Extensions source medium: Detects known sensitive file extensions accessed on a network share
- Remote Service Activity via SVCCTL Named Pipe source medium: Detects remote service activity via remote access to the svcctl named pipe
- Transferring Files with Credential Data via Network Shares source medium: Transferring files with well-known filenames (sensitive files with credential data) using network shares
- T1047 Wmiprvse Wbemcomn DLL Hijack source high: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
Elastic # view in reference
- Potential Machine Account Relay Attack via SMB source high: Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack.
Splunk # view in reference
- Executable File Written in Administrative SMB Share source: The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed for lateral movement and remote code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code remotely, potentially compromising additional systems within the network.
- High Frequency Copy Of Files In Network Share source: The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.
- PetitPotam Network Share Access Request source: The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
- Example event sourced from https://github.com/NextronSystems/evtx-baseline