Network Share Access

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

Data Collection Measures:

• Windows:
  • Event ID 5140 – Network Share Object Access Logs every access attempt to a network share.
  • Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions.
  • Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares.
  • Enable Audit Policy for Network Share Access: auditpol /set /subcategory:"File Share" /success:enable /failure:enable
  • Enable PowerShell Logging to Detect Unauthorized SMB Access: Set-ExecutionPolicy RemoteSigned
  • Restrict Network Share Access with Group Policy (GPO): Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment Set "Access this computer from the network" to restrict unauthorized accounts.
• Linux/macOS:
  • AuditD (open, read, write, connect syscalls) Detects access to NFS, CIFS, and SMB network shares.
  • Lsof (lsof | grep nfs or lsof | grep smb) Identifies active network share connections.
  • Mount (mount | grep nfs or mount | grep cifs) Lists currently mounted network shares.
  • Enable AuditD for SMB/NFS Access: auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access
  • Monitor Active Network Shares Using Netstat: netstat -an | grep :445
• Endpoint Detection & Response (EDR):
  • Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity.