5144 A network share object was deleted
Written when a network share is deleted. Paired with addition 5142, it tracks the share’s lifecycle.
Overview
The subcategory is Audit File Share. It is generated when an existing network share is deleted.
How it is triggered
- Deleting a share via
net share /delete,Remove-SmbShare, management tools, and so on.
Security review points
- An attacker may later delete a share used for exfiltration or tool distribution to erase traces. Cross-reference with the addition 5142 and access 5140 history to determine what the share was used for.
- Deleting an operationally needed share affects availability. Also confirm deletion of important shares.
Notes for log review
- It also occurs during legitimate cleanup. Match the deleted share and subject against normal patterns.
- A share that goes create-then-access-then-delete in a short time is notable as a possible temporary exfiltration path.
Key fields
| Field | Meaning |
|---|---|
Share Name | The deleted share |
Subject\Account Name | The subject that performed the deletion |