SMB Forensics

Audit Logs

Microsoft-Windows-Security-Auditing

5140: A network share object was accessed
5142: A network share object was added.
5143: A network share object was modified
5144: A network share object was deleted.
5145: A network share object was checked to see whether client can be granted desired access.

Forensics:

Explorer.exe:

PowerShell/CMD:

Enumerating:

Enumeration Priv Denied:

Resource Access Denied:

EventIDs:

Every event listed above will trigger a 4624 Windows EventID, even if access is denied.

Username and source IP can be found in the event log.

MISC:

A 4672 logon will occur whenever the account used to access resources is privileged. There will be 2 seperate logon events 4624 and 4672 for the same account. This is has to do with how Windows manages privileged sessions.

Previous551 SMB Auth Failed Next4740 Account Lockout

Last updated 2 months ago