{"id":17942,"date":"2020-02-04T15:05:26","date_gmt":"2020-02-04T07:05:26","guid":{"rendered":"http:\/\/4563.org\/?p=17942"},"modified":"2020-02-04T15:05:26","modified_gmt":"2020-02-04T07:05:26","slug":"%e5%a4%a7%e5%a9%b6%e4%bb%ac%e5%b8%ae%e5%bf%99%e5%88%86%e6%9e%90%e4%b8%8b%e8%bf%99%e4%b8%aa%e6%97%a5%e5%bf%97%e5%91%97-%e6%9c%89%e7%82%b9%e6%85%8c","status":"publish","type":"post","link":"http:\/\/4563.org\/?p=17942","title":{"rendered":"\u5927\u5a76\u4eec\u5e2e\u5fd9\u5206\u6790\u4e0b\u8fd9\u4e2a\u65e5\u5fd7\u5457 \u6709\u70b9\u614c"},"content":{"rendered":"\n

\t\t\t\t\tlna<\/strong> \t\t\t\t\u5927\u4f6c\u6709\u8bdd\u8bf4 : \t<\/p>\n

\u5927\u5a76\u4eec\u5e2e\u5fd9\u5206\u6790\u4e0b\u8fd9\u4e2a\u65e5\u5fd7\u5457 \u6709\u70b9\u614c<\/h3>\n

\t\t\u8fd9\u4e2a\u662f\u4ec0\u4e48\u767b\u9646\u5440\uff1f\u662f\u4e0d\u662f\u88ab\u5165\u4fb5\u4e86\uff1f<\/p>\n

\u65e5\u5fd7\u540d\u79f0:          Security
\u6765\u6e90:            Microsoft-Windows-Security-Auditing
\u65e5\u671f:            2020\/2\/4 11:08:05
\u4e8b\u4ef6 ID:         4624
\u4efb\u52a1\u7c7b\u522b:          \u767b\u5f55
\u7ea7\u522b:            \u4fe1\u606f
\u5173\u952e\u5b57:         \u5ba1\u6838\u6210\u529f
\u7528\u6237:            \u6682\u7f3a
\u8ba1\u7b97\u673a:         WIN-1GIDUT4AGV9
\u63cf\u8ff0:
\u5df2\u6210\u529f\u767b\u5f55\u5e10\u6237\u3002<\/p>\n

\u4f7f\u7528\u8005:
        \u5b89\u5168 ID:                SYSTEM
        \u5e10\u6237\u540d:                WIN-1GIDUT4AGV9$
        \u5e10\u6237\u57df:                WORKGROUP
        \u767b\u5f55 ID:                0x3E7<\/p>\n

\u767b\u5f55\u7c7b\u578b:                        5<\/p>\n

\u6a21\u62df\u7ea7\u522b:                \u6a21\u62df<\/p>\n

\u65b0\u767b\u5f55:
        \u5b89\u5168 ID:                SYSTEM
        \u5e10\u6237\u540d:                SYSTEM
        \u5e10\u6237\u57df:                NT AUTHORITY
        \u767b\u5f55 ID:                0x3E7
        \u767b\u5f55 GUID:                {00000000-0000-0000-0000-000000000000}<\/p>\n

\u8fdb\u7a0b\u4fe1\u606f:
        \u8fdb\u7a0b ID:                0x2ac
        \u8fdb\u7a0b\u540d:                C:WindowsSystem32services.exe<\/p>\n

\u7f51\u7edc\u4fe1\u606f:
        \u5de5\u4f5c\u7ad9\u540d:        –
        \u6e90\u7f51\u7edc\u5730\u5740:        –
        \u6e90\u7aef\u53e3:                –<\/p>\n

\u8be6\u7ec6\u8eab\u4efd\u9a8c\u8bc1\u4fe1\u606f:
        \u767b\u5f55\u8fdb\u7a0b:                Advapi
        \u8eab\u4efd\u9a8c\u8bc1\u6570\u636e\u5305:        Negotiate
        \u4f20\u9012\u7684\u670d\u52a1:        –
        \u6570\u636e\u5305\u540d(\u4ec5\u9650 NTLM):        –
        \u5bc6\u94a5\u957f\u5ea6:                0<\/p>\n

\u521b\u5efa\u767b\u5f55\u4f1a\u8bdd\u540e\uff0c\u5728\u88ab\u8bbf\u95ee\u7684\u8ba1\u7b97\u673a\u4e0a\u751f\u6210\u6b64\u4e8b\u4ef6\u3002<\/p>\n

\u201c\u4f7f\u7528\u8005\u201d\u5b57\u6bb5\u6307\u660e\u672c\u5730\u7cfb\u7edf\u4e0a\u8bf7\u6c42\u767b\u5f55\u7684\u5e10\u6237\u3002\u8fd9\u901a\u5e38\u662f\u4e00\u4e2a\u670d\u52a1(\u4f8b\u5982 Server \u670d\u52a1)\u6216\u672c\u5730\u8fdb\u7a0b(\u4f8b\u5982 Winlogon.exe \u6216 Services.exe)\u3002<\/p>\n

\u201c\u767b\u5f55\u7c7b\u578b\u201d\u5b57\u6bb5\u6307\u660e\u53d1\u751f\u7684\u767b\u5f55\u79cd\u7c7b\u3002\u6700\u5e38\u89c1\u7684\u7c7b\u578b\u662f 2 (\u4ea4\u4e92\u5f0f)\u548c 3 (\u7f51\u7edc)\u3002<\/p>\n

\u201c\u65b0\u767b\u5f55\u201d\u5b57\u6bb5\u6307\u660e\u65b0\u767b\u5f55\u662f\u4e3a\u54ea\u4e2a\u5e10\u6237\u521b\u5efa\u7684\uff0c\u5373\u767b\u5f55\u7684\u5e10\u6237\u3002<\/p>\n

\u201c\u7f51\u7edc\u201d\u5b57\u6bb5\u6307\u660e\u8fdc\u7a0b\u767b\u5f55\u8bf7\u6c42\u6765\u81ea\u54ea\u91cc\u3002\u201c\u5de5\u4f5c\u7ad9\u540d\u201d\u5e76\u975e\u603b\u662f\u53ef\u7528\uff0c\u800c\u4e14\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u53ef\u80fd\u4f1a\u7559\u4e3a\u7a7a\u767d\u3002<\/p>\n

\u6a21\u62df\u7ea7\u522b\u5b57\u6bb5\u6307\u660e\u767b\u5f55\u4f1a\u8bdd\u4e2d\u7684\u8fdb\u7a0b\u53ef\u4ee5\u6a21\u62df\u7684\u7a0b\u5ea6\u3002<\/p>\n

\u201c\u8eab\u4efd\u9a8c\u8bc1\u4fe1\u606f\u201d\u5b57\u6bb5\u63d0\u4f9b\u5173\u4e8e\u6b64\u7279\u5b9a\u767b\u5f55\u8bf7\u6c42\u7684\u8be6\u7ec6\u4fe1\u606f\u3002
        -\u201c\u767b\u5f55 GUID\u201d\u662f\u53ef\u7528\u4e8e\u5c06\u6b64\u4e8b\u4ef6\u4e0e KDC \u4e8b\u4ef6\u5173\u8054\u8d77\u6765\u7684\u552f\u4e00\u6807\u8bc6\u7b26\u3002
        -\u201c\u4f20\u9012\u7684\u670d\u52a1\u201d\u6307\u660e\u54ea\u4e9b\u4e2d\u95f4\u670d\u52a1\u53c2\u4e0e\u4e86\u6b64\u767b\u5f55\u8bf7\u6c42\u3002
        – \u201c\u6570\u636e\u5305\u540d\u201d\u6307\u660e\u5728 NTLM \u534f\u8bae\u4e4b\u95f4\u4f7f\u7528\u4e86\u54ea\u4e9b\u5b50\u534f\u8bae\u3002
        -\u201c\u5bc6\u94a5\u957f\u5ea6\u201d\u6307\u660e\u751f\u6210\u7684\u4f1a\u8bdd\u5bc6\u94a5\u7684\u957f\u5ea6\u3002\u5982\u679c\u6ca1\u6709\u8bf7\u6c42\u4f1a\u8bdd\u5bc6\u94a5\uff0c\u5219\u6b64\u5b57\u6bb5\u4e3a 0\u3002
\u4e8b\u4ef6 Xml:
<Event xmlns="http:\/\/schemas.microsoft.com\/win\/2004\/08\/events\/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" \/>
    <EventID>4624<\/EventID>
    <Version>1<\/Version>
    <Level>0<\/Level>
    <Task>12544<\/Task>
    <Opcode>0<\/Opcode>
    <Keywords>0x8020000000000000<\/Keywords>
    <TimeCreated SystemTime="2020-02-04T03:08:05.531779300Z" \/>
    <EventRecordID>7949<\/EventRecordID>
    <Correlation \/>
    <Execution ProcessID="692" ThreadID="6800" \/>
    <Channel>Security<\/Channel>
    <Computer>WIN-1GIDUT4AGV9<\/Computer>
    <Security \/>
<\/System>
<EventData>
    <Data Name="SubjectUserSid">S-1-5-18<\/Data>
    <Data Name="SubjectUserName">WIN-1GIDUT4AGV9$<\/Data>
    <Data Name="SubjectDomainName">WORKGROUP<\/Data>
    <Data Name="SubjectLogonId">0x3e7<\/Data>
    <Data Name="TargetUserSid">S-1-5-18<\/Data>
    <Data Name="TargetUserName">SYSTEM<\/Data>
    <Data Name="TargetDomainName">NT AUTHORITY<\/Data>
    <Data Name="TargetLogonId">0x3e7<\/Data>
    <Data Name="LogonType">5<\/Data>
    <Data Name="LogonProcessName">Advapi<\/Data>
    <Data Name="AuthenticationPackageName">Negotiate<\/Data>
    <Data Name="WorkstationName">-<\/Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}<\/Data>
    <Data Name="TransmittedServices">-<\/Data>
    <Data Name="LmPackageName">-<\/Data>
    <Data Name="KeyLength">0<\/Data>
    <Data Name="ProcessId">0x2ac<\/Data>
    <Data Name="ProcessName">C:WindowsSystem32services.exe<\/Data>
    <Data Name="IpAddress">-<\/Data>
    <Data Name="IpPort">-<\/Data>
    <Data Name="ImpersonationLevel">%%1833<\/Data>
<\/EventData>
<\/Event><\/p>\n","protected":false},"excerpt":{"rendered":"

lna \u5927\u4f6c\u6709\u8bdd\u8bf4 : \u5927\u5a76\u4eec\u5e2e\u5fd9…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[],"tags":[],"_links":{"self":[{"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/posts\/17942"}],"collection":[{"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17942"}],"version-history":[{"count":0,"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/posts\/17942\/revisions"}],"wp:attachment":[{"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17942"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}