Network Share Access (f5468e67-51c7-4756-9b4f-65707708e7fa)
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
Data Collection Measures:
- Windows:
- Event ID 5140 – Network Share Object Access Logs every access attempt to a network share.
- Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions.
- Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares.
- Enable Audit Policy for Network Share Access:
auditpol /set /subcategory:"File Share" /success:enable /failure:enable - Enable PowerShell Logging to Detect Unauthorized SMB Access:
Set-ExecutionPolicy RemoteSigned - Restrict Network Share Access with Group Policy (GPO):
Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights AssignmentSet "Access this computer from the network" to restrict unauthorized accounts.
- Linux/macOS:
- AuditD (
open,read,write,connectsyscalls) Detects access to NFS, CIFS, and SMB network shares. - Lsof (
lsof | grep nfsorlsof | grep smb) Identifies active network share connections. - Mount (
mount | grep nfsormount | grep cifs) Lists currently mounted network shares. - Enable AuditD for SMB/NFS Access:
auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access - Monitor Active Network Shares Using Netstat:
netstat -an | grep :445
- AuditD (
- Endpoint Detection & Response (EDR):
- Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity.