5142 A network share object was added
Written when a network share is created. It captures things like an attacker creating a share for data exfiltration.
Overview
The subcategory is Audit File Share. It is generated when a new network share (SMB share) is created. It includes the share name, share path, and creating subject.
How it is triggered
- Creating a share via
net share,New-SmbShare, management tools, and so on.
Security review points
- An attacker may create their own share to exfiltrate collected data or distribute tools. Note share creation by unexpected hosts or subjects, and unfamiliar share names/paths.
- Share creation on a non-server endpoint, or a share exposing a sensitive folder, is especially notable. Together with share access 5140, track how the created share is used.
Notes for log review
- Shares are created legitimately on file servers. Match the creating host, subject, and exposed path against normal patterns.
- Confirm share creation on workstations, or shares with broad write permissions, at high priority.
Key fields
| Field | Meaning |
|---|---|
Share Name / Share Path | The created share and exposed path |
Subject\Account Name | The subject that created it |