Event ID: 5142A network share object was added
A network share object was added. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Share Information: Share Name: %5 Share Path: %6
“Share Path” should not point to system directories, such as C:\Windows or C:\, or to critical local folders which contain private or high value information. If the "Share Path" points to these locations it can indicate malicious activity.
Monitor domain controllers and high-value computers for creation of new file shares.
This event is logged when a network share is added / created.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"File Share"
LEFT/RIGHT arrow keys for navigationBack to List