top of page

Network Share Object Modification - Anomaly Detection with 5143 Event ID

Updated: Feb 7

Understanding Event ID 5143 Anomaly Detection and Security Identifiers (SIDs):

Event ID 5143 stands as a pivotal beacon, activated with each modification to a network share object. This event plays a critical role in identifying alterations to file permissions, irrespective of whether they are initiated by legitimate users or potential malicious actors.

Security Identifiers (SIDs): Functioning as a unique and immutable identifier, a Security Identifier (SID) serves as the digital fingerprint for users, user groups, or other security principles. Much like a national identification number, it confers a distinct digital identity. For instance:

  • Example SID: S-1-5-21-40882390-58657388-3385413796-500

  • The "S" is indicative of a SID.

  • "S-1-5" signifies NT Authority, representing an Authority-type SID with nuanced meanings.

  • "21-40882390-58657388-3385413796" represents the domain.

  • "500" holds significance, pointing to Administrator status. Various values like 501 for Guest, 512 for domain admin, and 513 for domain user exist, each delineating unique roles.

Understanding Event ID 5143 in File Permission Changes

"Event ID 5143 surfaces when file permission modifications occur, particularly spotlighting changes in critical files. This event provides a nuanced lens into alterations within specific files deemed crucial for our operations.

Within the 5143 log, key elements include:

  1. Account Name:

  • The user executing the action is identified in the 'Account name' section.

  1. Share Name:

  • This designates the modified object, shedding light on the specific file undergoing changes.

  1. Share Path:

  • Reveals the directory where the object resides, providing contextual information on the file's location.

  1. OLD SID and NEW SID:

  • These values are instrumental in understanding the evolution of permissions.

  • OLD SID reflects the historical permission set associated with the user account or domain.

  • NEW SID signifies alterations made to permissions, showcasing the modified access rights.

The SID value found at the end, represented as (A;;FA;;;WD), holds critical insights:

  • "A": Grants universal access.

  • "FA": Bestows Full Access rights.

  • "WD": Provides permission to change permissions.

This configuration indicates potential malevolent activity where an attacker might tamper with file permissions. In the prelude to an attack, malicious software often tweaks specific permissions, attempting to propagate through the network.

Analyzing the values post-SID in the log becomes imperative:

  • Identify any anomalies or patterns in the post-SID values.

  • Evaluate these against established company security policies or any perspectives that deviate from standard security practices.

In situations where the observed values contradict security policies or established security perspectives, prompt action is essential. Taking corrective measures becomes crucial to maintaining the integrity and security of critical files. Vigilant analysis and proactive responses to such file permission modifications contribute significantly to a robust cybersecurity posture.

38 views0 comments


bottom of page