A network share object was checked to see whether client can be granted desired access
Detailed file access check over SMB (`Relative Target Name` filename accessed on share).
Event ID 5145 provides granular, exact visibility into SMB network share activity. While Event 5140 logs connecting to the root share, Event 5145 records every specific file or named pipe opened within that share (`Relative Target Name`). For instance, accessing `\\Server\IPC$` with `Relative Target Name: svcctl` or `winreg` indicates remote service manipulation (`PsExec`) or remote registry editing.
Failure Reason / Root Cause:
Remote file reads over SMB, or named pipe access (`svcctl`, `samr`, `lsarpc`, `srvsvc`) during lateral movement reconnaissance.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.935Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to A network share object was checked to see whether client can be granted desired access -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1021.002 | Remote Services: SMB/Windows Admin Shares | Lateral Movement |
T1018 | Remote System Discovery | Discovery |
Recommended actions
- Monitor Event 5145 where `Relative Target Name` matches critical named pipes (`svcctl`, `atsvc`, `epmapper`, `samr`, `lsarpc`).
- Alert on rapid sequential 5145 file reads across thousands of files (`ransomware network encryption or mass exfiltration indicator`).