Hunting Malicious File Share Activity: A Deep Dive into Windows Event Logs

Network file shares are the unsung workhorses of many business environments. They’re essential for collaboration and data access, but this utility also makes them a prime target for attackers. From snooping for sensitive data to moving laterally across your network, adversaries frequently exploit file shares as a core part of their operations.

So, how can you fight back? The good news is that you likely already have the tools you need. Buried within Windows are powerful event logs that, when properly configured, can illuminate malicious file share activity. This guide will walk you through why this matters, which logs to enable, and how to use them to hunt for threats.

Why File Share Auditing is a Security Game-Changer

If you look at the MITRE ATT&CK® framework, you’ll see network shares pop up time and time again. They are a veritable watering hole for threat actors, providing a central point to stage attacks, exfiltrate data, and spread malware.

Here are just a few ways attackers leverage them:

• Data Collection: Threat groups like APT28 and Menupass are known to use built-in tools like net use to access and collect data from network drives (MITRE T1039: Data from Network Shared Drive).

• Lateral Movement: The infamous Sandworm team and other groups use protocols like SMB to move malicious tools and files between systems on a network, hopping from one machine to the next.

• Content Tainting: This is a classic ransomware tactic. Groups like Conti will infect files on a shared drive, waiting for unsuspecting users to open them and trigger the malware’s spread across the organization (MITRE T1080: Taint Shared Content). Even the notorious Stuxnet worm used this technique to propagate.

Auditing your file shares is not just a best practice; it’s a critical line of defense for detecting these behaviors early in the attack lifecycle.

Getting Started: How to Enable File Share Auditing

By default, Windows doesn’t log the granular detail we need for effective threat hunting. You have to turn it on. You can do this on a per-machine basis or across your entire domain.

• Local Policy: For a specific server (like a critical file server or domain controller), you can use the Local Security Policy editor (secpol.msc).

• Domain Policy: To apply settings across multiple workstations or servers, you’ll want to configure this in a Group Policy Object (GPO) from a domain controller. This is the most scalable approach for enterprise environments.

Navigate to Advanced Audit Policy Configuration > Object Access and you will find two key subcategories to configure:

1. Audit File Share

2. Audit Detailed File Share

Enabling these will begin generating the powerful event logs we need for our hunt.

A Hunter’s Guide to Key File Share Event IDs

Once auditing is enabled, your security logs will start populating with valuable information. Let’s break down the most important Event IDs and what to look for.

Event ID $5140$: A Network Share was Accessed

This is your first-line-of-defense log. It’s generated on the first attempt to access a share and logs both success and failure, making it perfect for spotting brute-force attempts. When an attacker uses harvested credentials to map SMB shares, this event will fire.

• Key Fields: Account Name, Source IP Address, Share Name, Share Path, Accesses.

• Hunting Tips:

  • Monitor High-Value Shares: Pay close attention to access attempts on critical shares like C$ or SYSVOL on domain controllers.

  • Watch for External IPs: An access attempt from a public IP address is a major red flag. If you have SMB exposed to the internet (which is highly discouraged), this log is your canary in the coal mine.

  • Analyze Access Types: The Accesses field tells you what the user tried to do (e.g., ReadData, WriteData). Is a user who normally only reads data suddenly attempting write access?

Event ID $5142$: A Network Share Object was Added

This event is logged upon the successful creation of an object (like a file or folder) on a share. It’s a clear indicator that something new has been placed on your server.

• Key Fields: Account Name, Source IP Address, Share Name, Relative Target Name (the file/folder path).

• Hunting Tips:

  • Scrutinize High-Value Locations: Be suspicious of files being created in sensitive directories like C:\Windows\System32 or web server directories (e.g., C:\inetpub\wwwroot). An attacker might be writing a web shell or other malicious tool.

  • Context is King: Understand what normal looks like in your environment. A new file appearing in a user’s personal share is normal; a new .exe file appearing in a system directory is not.

Event ID $5143$: A Network Share Object was Modified

This event triggers when a file or folder on a share is successfully modified. While it can be noisy, it’s invaluable for detecting unauthorized changes.

• Key Fields: Account Name, Source IP Address, Share Name, Share Path. In some cases, it may contain old and new field values for the change.

• Hunting Tips:

  • Focus on folders that should be static. Why would a file on a domain controller’s SYSVOL share be modified by a standard user account?

  • Correlate with other activity. A modification event followed by other suspicious behavior could be part of a larger attack chain.

Event ID $5144$: A Network Share Object was Deleted

Logged on successful object deletion, this event can help you spot an attacker covering their tracks, a malicious insider, or the destructive phase of a ransomware attack.

• Key Fields: Account Name, Source IP Address, Share Name, Share Path.

• Hunting Tips:

  • Look for mass deletion events across multiple hosts or from a single account in a short period. This is highly abnormal user behavior.

  • Monitor for deletions in critical system folders or shares containing backups.

Event ID $5168$: SPN Check Failed

This is an authentication-related event. It’s generated when an SMB authentication attempt fails because the Service Principal Name (SPN) validation failed. A flood of these events can be a strong indicator of a problem.

• Key Fields: Account Name, Source IP Address, Service Name, Error Code.

• Hunting Tips:

  • A high volume of $5168$ events from a single source IP can indicate a misconfiguration or an active reconnaissance/brute-force attempt.

  • Use the error codes to diagnose the “why.” Is the account locked out? Is there a Kerberos issue? This can help you distinguish between a technical glitch and a malicious attack.

Event ID $5145$: A Share Object was Checked for Access (Detailed)

This is the most granular and potentially noisiest of the share logs, as it’s generated on every access check for an object within a share, for both success and failure. While it generates a lot of data, its detail is unmatched for deep-dive investigations.

• Key Fields: Account Name, Source IP Address, Share Name, Relative Target Name, Accesses, Access Mask.

• Hunting Tips:

  • Hunt for Anomalous Access Patterns: Use this log to baseline normal activity. If a service account that only ever performs Read operations suddenly attempts a Write or Delete, that’s a deviation worth investigating.

  • Trace Unauthorized Enumeration: Even if an attacker fails to access a file, this log will show they tried. You can spot attackers “walking” your file shares and enumerating directories.

  • Identify Suspicious Account Usage: Is an administrator account suddenly accessing shares from a user’s workstation instead of a management server? This could be a sign of credential theft.

Put Your Knowledge into Action

Attackers view your network shares as a land of opportunity. By enabling and actively monitoring these Windows Event Logs, you can turn their playground into a minefield. Start by identifying your high-value shares, enabling the right audit policies, and building detections around the anomalous behaviors we’ve discussed. You’ll be better equipped to catch threats early and keep your organization secure.