I have an application in Machine A which needs to monitor the remote process accessing my shared drive or modifying Items in shared drive. Is there a possibility to know the Process Name or hash of the Remote process from Machine A? I was trying with procmon to see if the utility gets, it was showing as a local system process. I did not see the actual remote process name. Is it possible to get the data? Is there a way?
Is it possible? Sure, just have some agent on every system that can access the local system remotely. What you have access to on the local system is pretty much limited to the SID of the account being used.
Could you elaborate more. currently I keep monitoring the shared drive. However all I could get is IP address of the remote machine modifying the contents. I don’t get the name of the remote process modifying it.
You may be expecting too much. Remember that the only communication between the two systems is the SMB protocol, which was designed to transfer sectors of files. Your system has no visibility into the other system at all – all you get is whatever came in the SMB packets. You get a SID, but no other identifying information.