EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 5140Audit SuccessSecurityT1039

Windows Event ID 5140Network Share Accessed

Logged when a network share is accessed. Captures who accessed which share and from where.

MITRE ATT&CK

Technique

T1039 · Data from Network Shared Drive

Tactic

Collection

View on attack.mitre.org →

Why It Matters

Lateral movement often involves accessing admin shares (C$, ADMIN$, IPC$) or file shares for data staging. Mass access to shares from a single host in a short period can indicate ransomware crawling the network.

Key Fields

Share NameWhich share was accessed — C$ and ADMIN$ are high-value targets
Source AddressThe client IP accessing the share
Account NameThe authenticated account

Investigation Tips

  1. 1.C$ and ADMIN$ access from a non-admin workstation is always suspicious.
  2. 2.High volume of share access events from one source in a short time is a ransomware lateral movement indicator.
  3. 3.Correlate with 4624 Type 3 (network logon) to see the auth event that preceded the share access.

Seeing Event ID 5140 in your own logs? Upload an .evtx file — EventPeeker flags network share accessed automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

5145Network share object access check
4624Network logon that preceded the share access

Go deeper: the full PsExec & Remote Execution — Lateral Movement via Admin Shares guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the PsExec & Remote Execution — Lateral Movement via Admin Shares guide

See Event ID 5140 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects network share accessed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →