說明

共享資料夾是一種常被拿來橫向擴散，並取得為妥善保護的手冊文件、設定檔等資料，如被獲取高權密碼甚至能用//xxxx.xxxx.xxxx.xxxx/c$ 方式取得C槽權限

作法

Security Event Log只看到LogonType3 NTLM，沒有看到特別的特徵

  Id TimeCreated          LogonType AdditionalInfo
  -- -----------          --------- --------------
4624 9/23/2024 9:37:19 PM 3         NTLM
4672 9/23/2024 9:37:19 PM
4672 9/23/2024 9:37:19 PM
4776 9/23/2024 9:37:19 PM
4776 9/23/2024 9:37:09 PM
4776 9/23/2024 9:37:09 PM
4624 9/23/2024 9:36:48 PM 3         NTLM
4672 9/23/2024 9:36:48 PM
4672 9/23/2024 9:36:48 PM
4776 9/23/2024 9:36:48 PM

查看0935~0938這段時間的Log，有EventID5140、5145可以辨識

Sysmon在這個設定檔沒看到任何日誌產生
https://github.com/olafhartong/sysmon-modular?tab=readme-ov-file

Wireshark

查看封包，走445 Port SMB2驗證，1帳密及2路徑

REF

使用檔案存取稽核記錄使用者存取
https://docs.aws.amazon.com/zh_tw/fsx/latest/WindowsGuide/file-access-auditing.html
EVID 5140, 5142-5145 : Network Share Was Accessed (XML - Security)
https://docs.logrhythm.com/devices/docs/evid-5140-5142-5145-network-share-was-accessed-xml