EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 5140Audit SuccessSecurityT1039

Windows Event ID 5140Network Share Accessed

Logged when a network share is accessed. Captures who accessed which share and from where.

MITRE ATT&CK

Technique

T1039 · Data from Network Shared Drive

Tactic

Collection

View on attack.mitre.org →

Why It Matters

Lateral movement often involves accessing admin shares (C$, ADMIN$, IPC$) or file shares for data staging. Mass access to shares from a single host in a short period can indicate ransomware crawling the network.

Key Fields

Share NameWhich share was accessed — C$ and ADMIN$ are high-value targets
Source AddressThe client IP accessing the share
Account NameThe authenticated account

Investigation Tips

  1. 1.C$ and ADMIN$ access from a non-admin workstation is always suspicious.
  2. 2.High volume of share access events from one source in a short time is a ransomware lateral movement indicator.
  3. 3.Correlate with 4624 Type 3 (network logon) to see the auth event that preceded the share access.

Related Event IDs

5145Network share object access check
4624Network logon that preceded the share access

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 5140

See Event ID 5140 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects network share accessed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →