5140 A network share object was accessed
Written when a network share is accessed. It captures share access over SMB and is usable to detect lateral movement and data exfiltration.
Overview
The subcategory is Audit File Share. It is generated when a client accesses a network share (SMB share). It includes the accessing account, source IP, and target share name. Individual file access within a share is recorded in detail by 5145.
How it is triggered
- Access to a file share, an administrative share such as
C$/ADMIN$, orIPC$. - It often follows a network logon 4624 (Type 3).
Security review points
- Access to administrative shares (
C$/ADMIN$) is a hallmark of lateral movement and remote execution using tools like PsExec. Confirm the source IP and account are as expected. - Anonymous or high-volume access to
IPC$can be a sign of enumeration (reconnaissance). Accessing shares on many hosts in a short time suggests lateral movement. - Correlate with network logon 4624 (Type 3, NTLM) and the pass-the-hash context to track who entered which share from where.
Notes for log review
- It appears in volume during normal file-server use. Aggregate by source IP, account, and share name, and narrow to administrative-share access or anomalous sources.
- The share name
\\*\IPC$appears frequently with connection establishment and tends to be noise. Focus on access to administrative or sensitive shares.
Key fields
| Field | Meaning |
|---|---|
Share Name | The accessed share (whether C$/ADMIN$) |
Source Address | The accessing IP |
Subject\Account Name | The accessing account |