Network file shares are the unsung workhorses of many business environments. They’re essential for collaboration and data access, but this utility also makes them a prime target for attackers. From snooping for sensitive data to moving laterally across your network, adversaries frequently exploit file shares as a core part of their operations.
So, how can you fight back? The good news is that you likely already have the tools you need. Buried within Windows are powerful event logs that, when properly configured, can illuminate malicious file share activity. This guide will walk you through why this matters, which logs to enable, and how to use them to hunt for threats.
If you look at the MITRE ATT&CK® framework, you’ll see network shares pop up time and time again. They are a veritable watering hole for threat actors, providing a central point to stage attacks, exfiltrate data, and spread malware.
Here are just a few ways attackers leverage them:
Data Collection: Threat groups like APT28 and Menupass are known to use built-in tools like net use
to access and collect data from network drives (MITRE T1039: Data from Network Shared Drive).
Lateral Movement: The infamous Sandworm team and other groups use protocols like SMB to move malicious tools and files between systems on a network, hopping from one machine to the next.
Content Tainting: This is a classic ransomware tactic. Groups like Conti will infect files on a shared drive, waiting for unsuspecting users to open them and trigger the malware’s spread across the organization (MITRE T1080: Taint Shared Content). Even the notorious Stuxnet worm used this technique to propagate.
Auditing your file shares is not just a best practice; it’s a critical line of defense for detecting these behaviors early in the attack lifecycle.
By default, Windows doesn’t log the granular detail we need for effective threat hunting. You have to turn it on. You can do this on a per-machine basis or across your entire domain.
Local Policy: For a specific server (like a critical file server or domain controller), you can use the Local Security Policy editor (secpol.msc
).
Domain Policy: To apply settings across multiple workstations or servers, you’ll want to configure this in a Group Policy Object (GPO) from a domain controller. This is the most scalable approach for enterprise environments.
Navigate to Advanced Audit Policy Configuration > Object Access
and you will find two key subcategories to configure:
Audit File Share
Audit Detailed File Share
Enabling these will begin generating the powerful event logs we need for our hunt.
Once auditing is enabled, your security logs will start populating with valuable information. Let’s break down the most important Event IDs and what to look for.
This is your first-line-of-defense log. It’s generated on the first attempt to access a share and logs both success and failure, making it perfect for spotting brute-force attempts. When an attacker uses harvested credentials to map SMB shares, this event will fire.
Key Fields: Account Name
, Source IP Address
, Share Name
, Share Path
, Accesses
.
Hunting Tips:
Monitor High-Value Shares: Pay close attention to access attempts on critical shares like C$
or SYSVOL
on domain controllers.
Watch for External IPs: An access attempt from a public IP address is a major red flag. If you have SMB exposed to the internet (which is highly discouraged), this log is your canary in the coal mine.
Analyze Access Types: The Accesses
field tells you what the user tried to do (e.g., ReadData
, WriteData
). Is a user who normally only reads data suddenly attempting write access?
This event is logged upon the successful creation of an object (like a file or folder) on a share. It’s a clear indicator that something new has been placed on your server.
Key Fields: Account Name
, Source IP Address
, Share Name
, Relative Target Name
(the file/folder path).
Hunting Tips:
Scrutinize High-Value Locations: Be suspicious of files being created in sensitive directories like C:\Windows\System32
or web server directories (e.g., C:\inetpub\wwwroot
). An attacker might be writing a web shell or other malicious tool.
Context is King: Understand what normal looks like in your environment. A new file appearing in a user’s personal share is normal; a new .exe
file appearing in a system directory is not.
This event triggers when a file or folder on a share is successfully modified. While it can be noisy, it’s invaluable for detecting unauthorized changes.
Key Fields: Account Name
, Source IP Address
, Share Name
, Share Path
. In some cases, it may contain old and new field values for the change.
Hunting Tips:
Focus on folders that should be static. Why would a file on a domain controller’s SYSVOL
share be modified by a standard user account?
Correlate with other activity. A modification event followed by other suspicious behavior could be part of a larger attack chain.
Logged on successful object deletion, this event can help you spot an attacker covering their tracks, a malicious insider, or the destructive phase of a ransomware attack.
Key Fields: Account Name
, Source IP Address
, Share Name
, Share Path
.
Hunting Tips:
Look for mass deletion events across multiple hosts or from a single account in a short period. This is highly abnormal user behavior.
Monitor for deletions in critical system folders or shares containing backups.
This is an authentication-related event. It’s generated when an SMB authentication attempt fails because the Service Principal Name (SPN) validation failed. A flood of these events can be a strong indicator of a problem.
Key Fields: Account Name
, Source IP Address
, Service Name
, Error Code
.
Hunting Tips:
A high volume of $5168$
events from a single source IP can indicate a misconfiguration or an active reconnaissance/brute-force attempt.
Use the error codes to diagnose the “why.” Is the account locked out? Is there a Kerberos issue? This can help you distinguish between a technical glitch and a malicious attack.
This is the most granular and potentially noisiest of the share logs, as it’s generated on every access check for an object within a share, for both success and failure. While it generates a lot of data, its detail is unmatched for deep-dive investigations.
Key Fields: Account Name
, Source IP Address
, Share Name
, Relative Target Name
, Accesses
, Access Mask
.
Hunting Tips:
Hunt for Anomalous Access Patterns: Use this log to baseline normal activity. If a service account that only ever performs Read
operations suddenly attempts a Write
or Delete
, that’s a deviation worth investigating.
Trace Unauthorized Enumeration: Even if an attacker fails to access a file, this log will show they tried. You can spot attackers “walking” your file shares and enumerating directories.
Identify Suspicious Account Usage: Is an administrator account suddenly accessing shares from a user’s workstation instead of a management server? This could be a sign of credential theft.
Attackers view your network shares as a land of opportunity. By enabling and actively monitoring these Windows Event Logs, you can turn their playground into a minefield. Start by identifying your high-value shares, enabling the right audit policies, and building detections around the anomalous behaviors we’ve discussed. You’ll be better equipped to catch threats early and keep your organization secure.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025