5143 A network share object was modified
Written when a network share’s settings are changed. It captures loosening of defenses through changes to a share’s permissions (share ACL).
Overview
The subcategory is Audit File Share. It is generated when an existing network share’s properties (share permissions, path, etc.) are changed. It is a share-change event alongside addition 5142 and deletion 5144.
How it is triggered
- Changing a share’s permissions (share-level ACL) or path.
Security review points
- A change that loosens share permissions (such as granting Everyone write access) can be a technique for an attacker to make the share easier to abuse or to create an exfiltration path. Check the permission scope after the change.
- Note expansion of permissions on sensitive shares. Together with share access 5140, track how it is used after the change.
Notes for log review
- It also occurs during legitimate operational changes. Match the changed share, permission scope, and subject against normal patterns.
- Confirm changes that broaden permissions (especially Everyone/write) at high priority.
Key fields
| Field | Meaning |
|---|---|
Share Name | The changed share |
| Post-change share ACL | The permission content |
Subject\Account Name | The subject that made the change |