First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to find what user accessed \\computerName\Folder?

Hello guys,

I am trying to figure out how to find who accessed my share folder if I take traces on destination machine. I can see smb2 with what was accessed on the local server but not who did access.

thanks, SunMan

SunMan's avatar
7
SunMan
asked 2019-07-11 16:04:54 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

Hi SunMan,

If you captured the session setup, you should be able to see the username used to connect to the share.

I suggest trying the simple display filter smb2.acct

It should display all SMB2 packets where the session ID shows the Account field.

You can even apply this field as a column to help you sort out the information.

Hope that helps.

Cheers,

JFD

Spooky's avatar
191
Spooky
answered 2019-07-11 23:59:34 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer