Event 5145: A network share object access check.
Quick Answer
Event 5145 is generated when detailed object-level access to network shares is performed, logging which specific files or folders within shares are accessed. This event provides granular visibility beyond Event 5140 (share access) for detecting data exfiltration, ransomware file encryption, and unauthorized access to sensitive documents on file servers.
Technical Details
Event ID: 5145
Windows Security- Object Access
Event Description
A network share object was checked to see whether the client can be granted desired access.
Key Log Fields
SubjectUserName- Account that accessed the fileSubjectDomainName- Domain of the accountSubjectLogonId- Logon ID for correlationObjectType- Type of object (File/Folder)IpAddress- Source IP addressIpPort- Source portShareName- Share nameRelativeTargetName- Relative path and filename within the shareAccessMask- Access rights (0x1=ReadData, 0x2=WriteData, 0x4=AppendData, 0x80=ReadAttributes)AccessList- Textual representation of access rights
MITRE ATT&CK® Mapping (2)
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.
Event Comparison
Event 5145 provides detailed file-level access within shares, while Event 5140 logs share-level access. Event 4663 monitors local file access. Enable both Event 5140 and 5145 together for complete network share access visibility from share connection through file operations.
What This Event Means
Event 5145 provides file-level access visibility within network shares, which is essential for detecting data theft, ransomware encryption, and unauthorized document access. While Event 5140 logs access to shares themselves, Event 5145 captures detailed file and folder operations including read, write, delete, and execute actions on specific objects within shares. This granular visibility enables security teams to detect attackers staging sensitive data for exfiltration, ransomware encrypting files across network shares, or unauthorized users accessing confidential documents. The event includes the user account, source IP, share name, file path, and access mask showing requested permissions. Security teams should enable Event 5145 on file servers containing sensitive data and monitor for unusual access patterns, mass file enumeration, or access to restricted documents by unauthorized accounts.
Security Implications
- Data exfiltration detection through monitoring access to sensitive files on file servers by unexpected accounts or from unusual source IPs
- Ransomware file encryption visible through rapid write/delete operations across thousands of files on network shares
- Insider threats accessing confidential documents outside their authorized business unit or job role
- Intellectual property theft detectable through systematic access to design files, source code, or proprietary documents
- APT groups like APT28 and FIN7 systematically access and stage sensitive files on network shares before exfiltration
Detection Strategies
Enable Event 5145 auditing on file servers containing sensitive data, focusing on shares with confidential documents, source code, or personally identifiable information. Alert on access to restricted folders by accounts outside authorized groups. Monitor for mass file access patterns where single users or source IPs access hundreds of files in short timeframes, indicating potential ransomware scanning or data staging. Track first-time access relationships where users access files they've never accessed historically. Correlate Event 5145 with Event 5140 to understand complete access chains from share connection through specific file operations. Monitor for unusual file access during off-hours or from unexpected geolocations. Alert on access to sensitive file types (financial spreadsheets, legal documents, HR records) by accounts outside expected departments.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Ryuk ransomware: Event 5145 showed write operations across 50,000+ files on file server shares within 10-minute period before complete encryption
Insider threat data theft: Event 5145 revealed employee systematically accessing 200+ confidential strategy documents from executive share before resignation and competitor employment
APT28 exfiltration: Attackers accessed financial planning documents and M&A strategy files on CFO share, generating Event 5145 before data appeared in external threat intelligence feeds
FIN7 reconnaissance: Event 5145 showed automated file enumeration across all accessible shares, cataloging file types and locations before targeting payment card data files