SMB Forensics

Audit Logs

Microsoft-Windows-Security-Auditing

• 5140: A network share object was accessed

• 5142: A network share object was added.

• 5143: A network share object was modified

• 5144: A network share object was deleted.

• 5145: A network share object was checked to see whether client can be granted desired access.

Forensics:

Ways to access file share:

Explorer.exe:

Accessing with Explorer

PowerShell/CMD:

Powershell/CMD

Enumerating:

Enumeration

Enumeration Priv Denied:

get-acl can't access resource

Resource Access Denied:

dir can't access resource

EventIDs:

Every event listed above will trigger a 4624 Windows EventID, even if access is denied.

Username and source IP can be found in the event log.

MISC:

A 4672 logon will occur whenever the account used to access resources is privileged. There will be 2 seperate logon events 4624 and 4672 for the same account. This is has to do with how Windows manages privileged sessions.