Windows 安全描述符审计方法探究:审查事件日志安全性
在获得对系统的访问权限后,对于尚未提升特权的攻击者,系统会授予什么级别的访问权限呢?
与其在主机上进行试验,最终被系统提示拒绝访问,并在测试过程中会产生嘈杂的日志,不如选择一个更好的策略,那就是首先了解 Windows 授予非特权用户的权限。
在 Windows 中,几乎所有的访问权限都由安全描述符控制。 本文的目标就是建立一种审计方法,用于暴露由安全描述符错误配置的潜在风险。 在建立方法之后,我们将把它应用到一个实际的用例中: 在Windows 事件日志中,哪些潜在的可滥用访问权限被授予给了无特权组? 为了回答这些问题,我们应该定义如下两点:
· 什么是错误配置?
· 什么是“可滥用的”访问权限?
在回答这些问题之前,让我们首先建立获取安全描述符的方法。
本博文的目标受众: 任何已经熟悉安全描述符、访问控制列表和 SACL 的人都希望形式化他们的自动化审计方法。 对于那些不熟悉这些概念的读者可以阅读下文中的参考资料章节中的资源。
获取安全描述符
众所周知,像文件、目录和注册表项这样的东西可以通过安全描述符进行安全保护,但是我们如何确定所有的安全保护项呢? 对于初学者来说,内核认为许多东西是“可保护的” ,我们将这些东西称为可保护对象。 KTV有几种方法可以枚举安全对象类型,但我个人认为最简单的方法是使用 James Forshaw 的 NtObjectManager PowerShell 模块中的 Get-NtType cmdlet。 在没有任何参数的情况下运行 Get-NtType 会在我的 Windows 10主机上返回以下安全对象:
ActivationObject, ActivityReference, Adapter, ALPC Port, Callback, Composition, Controller, CoreMessaging, CoverageSampler, DebugObject, Desktop, Device, Directory, DmaAdapter, Driver, DxgkCompositionObject, DxgkCurrentDxgProcessObject, DxgkDisplayManagerObject, DxgkSharedBundleObject, DxgkSharedKeyedMutexObject, DxgkSharedProtectedSessionObject, DxgkSharedResource, DxgkSharedSwapChainObject, DxgkSharedSyncObject, EnergyTracker, EtwConsumer, EtwRegistration, EtwSessionDemuxEntry, Event, File, FilterCommunicationPort, FilterConnectionPort, IoCompletion, IoCompletionReserve, IRTimer, Job, Key, KeyedEvent, Mutant, NdisCmState, Partition, PcwObject, PowerRequest, Process, Profile, PsSiloContextNonPaged, PsSiloContextPaged, RawInputManager, RegistryTransaction, Section, Semaphore, Session, SymbolicLink, Thread, Timer, TmEn, TmRm, TmTm, TmTx, Token, TpWorkerFactory, Type, UserApcReserve, VRegConfigurationContext, WaitCompletionPacket, WindowStation, WmiGuid
然而,返回的安全对象似乎都与我们的特定用例(事件日志)无关。 因此,问题依然存在,事件日志安全吗? 直观来说,微软必须考虑这方面的安全性,例如,无特权的用户无法查看或清除 安全事件日志。 此时此刻,开始谷歌搜索可能是明智之举。 在搜索“事件日志安全描述符”时,出现了以下与之相关的文章:
在这篇文章中,作者引用了通过“ CustomSD”注册表值设置自定义安全描述符的功能。并且作者还引用了“Isolation”注册表值文档中的默认安全权限。
既然我们知道可以将安全描述符应用于事件日志,那么我们如何检索它们呢? 幸运的是,当你在 PowerShell 调用 Get-WinEvent -ListLog 时,它将为每个事件日志返回一个 EventLogConfiguration 对象,该对象包含 SecurityDescriptor 属性。
> Get-WinEvent -ListLog Security | Select -ExpandProperty SecurityDescriptor
O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)
作为参考,上面的字符串是一个 SDDL 字符串,这是一种方便表示安全描述符的方法。 像 ConvertFrom-SddlString 这样的工具对于理解它们非常有用。
作为一个喜欢了解底层 Win32 API 的人,我选择使用 dnSpy 追踪 SecurityDescriptor 属性的实现,可以发现系统在 wevtapi.dll 中调用了 EvtGetChannelConfigProperty 函数并指定 EvtChannelConfigAccess 枚举值。 了解调用相关 Win32 API 函数的 DLL 也是有价值的,因为它指向了 Windows SDK 中的各个头文件(在本例中为 winevt.h) ,这些头文件通常会提供 MSDN 文档以外的有价值的信息。
现在,如果我们要审计事件日志安全描述符,我们需要知道系统对它们应用了什么访问权限。
确定相关的访问权限
对于事件日志访问控制条目,我们需要理解访问权限掩码的四个部分:
· 特定于对象的访问权限——特定于安全对象的权限,在本例中为事件日志。
· 标准访问权限 ——适用于安全描述符本身的权限。
· 通用访问权限 ——与标准的和特定的对象权限相对应的权限。
· SACL 访问权限 —— 控制日志记录和对对象授予或拒绝访问的权限。
至于特定对象的访问权限,这里有说明文档。 不过,有时候访问权限会被添加或删除,但文档并不会更新。 这就是为什么我更喜欢了解相应的 Windows SDK 头文件—— winevt.h,奇热它有最新的对象特定的访问权限定义:
#define EVT_READ_ACCESS 0x1 #define EVT_WRITE_ACCESS 0x2 #define EVT_CLEAR_ACCESS 0x4 #define EVT_ALL_ACCESS 0x7
对于那些不熟悉按位操作的用户, EVT_ALL_ACCESS 是二进制“或”操作EVT_READ_ACCESS | EVT_WRITE_ACCESS | EVT_CLEAR_ACCESS的结果。
现在,映射通用访问权限通常有点棘手。 通用访问权限用于映射一个或多个标准和特定于对象的访问权限。 对于“鲜为人知”的安全对象,要么缺乏通用权限的映射说明文档,要么根本不存在,对于事件日志,这也不例外。 因此,在没有文档或头文件提供这些信息的情况下,我们只能在代码中寻找答案。 不过你可能要问的第一个问题是,“在什么代码里找答案? ” 我们必须用一些猜测和直觉来回答这个问题。 我采取的方法是使用前面解释过的“ CustomSD”关键词,我们在 dll 中搜索一下这个关键词,因为它与事件日志安全强相关。 一旦我找到了这个引用,那么与通用访问权限相关的代码可能就位于搜索结果的附近。 我使用下面的 PowerShell 代码来识别候选的 DLL 文件:
$EventLogAccess = ls C:\Windows\System32\*.dll | sls 'CustomSD' -Encoding unicode $EventLogAccess.Path | Sort -Unique
运行结果如下:
C:\Windows\System32\acmigration.dll C:\Windows\System32\aeinv.dll C:\Windows\System32\apphelp.dll C:\Windows\System32\appraiser.dll C:\Windows\System32\d3d9.dll C:\Windows\System32\drvstore.dll C:\Windows\System32\dxdiagn.dll C:\Windows\System32\dxgi.dll C:\Windows\System32\generaltel.dll C:\Windows\System32\kernel32.dll C:\Windows\System32\opengl32.dll C:\Windows\System32\setupapi.dll C:\Windows\System32\vbsapi.dll C:\Windows\System32\vfluapriv.dll C:\Windows\System32\wevtsvc.dll
在我看来,最相关的 DLL 是 wevtsvc.DLL,即与事件日志服务相关联的 DLL。
在用符号将 wetsvc.dll 加载到 IDA 中时,对“ CustomSD”的一个交叉引用将我带入到“ channelconfidgreader::GetChannelAccessSddl”函数。
虽然这个函数和它的交叉引用没有产生任何与通用访问权限相关的东西,但是 GetDefaultSDDL 函数非常有趣,在稍微进行逆向之后,我可以看到事件日志服务在没有应用自定义安全描述符的情况下定义了以下安全描述符:
安全日志 O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER) 系统日志 O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) 应用程序日志 O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
这些与“Isolation”注册表值的文档有些对应,但不完全相同。 这是另一个不能依赖相关说明文档的例子,即使你想要一个精确的结果。 现在我们已经有了围绕默认事件日志安全描述符的上下文,这将很快成为解释为什么这么多事件日志应用了相同的安全描述符的相关内容。 回到通用访问权限,尽管问题很复杂。
在查找 wevtsvc.dll 二进制文件时,我偶然发现了对内部函数 EvtCheckAccess 中的 AccessCheck 函数的调用:
在看到这个调用并参考文档后,我可以看到这个函数是用于检查任何可以支持应用安全描述符的对象的访问。 它还需要一个 GenericMapping 参数。 在这种情况下,wevtsvc.dll 提供了一个由 GENERIC_MAPPING 结构组成的必须需要的全局变量 AccessCheck。 在 IDA 中,显示的内容如下:
现将其翻译如下:
· GENERIC_READ 映射到EVT_READ_ACCESS
· GENERIC_WRITE 映射到EVT_WRITE_ACCESS
· GENERIC_EXECUTE 没有映射到任何特定于对象的访问权限
· GENERIC_ALL 映射到EVT_ALL_ACCESS
这就对了,现在你就可以在网上找到相关的文档了。
现在,我们就已经拥有了围绕审计事件日志安全描述符构建自动化所需的所有组件。
滥用访问权限的考虑
枚举目标安全对象所支持的所有访问权限的工作完成后,你就可以开始考虑每个访问权限对没有执行特权升级的攻击者有哪些好处。 经过考虑后,我提出了对每个事件日志访问权限的影响,如下:
特定对象访问权限的含义:
· EVT_READ_ACCESS: 授予用户或组读取特定事件日志中的事件的能力。 如果事件日志有可能存储敏感信息,那么就有可能被滥用。 此外,大多数事件日志都有从任何进程的上下文中写入的事件,因此,xise攻击者就有机会从非特权用户的上下文中读取特权进程写入的事件日志。
· EVT_WRITE_ACCESS: 授予用户或组将事件写入特定事件日志的能力。 通过使用事件日志的写操作 API,攻击者就可以生成假的事件日志记录,这可能会给人一种“良好的”假象。 它们还可能考虑在恶意的执行操作之后向事件日志中注入正常的日志记录,导致攻击者实际执行的恶意操作的上下文日志滚动并丢失。 攻击者还可能选择将数据写入事件日志,作为一种不受安全产品隔离查杀的原始数据存储机制。
· EVT_CLEAR_ACCESS: 授予用户或组清除特定事件日志的能力。 非特权用户永远不应该被授予这种权限。 但是,有个缓解检测的控件是系统事件日志(来源: EventLog)中的 ID 104 事件,这个事件指示了何时清除特定的事件日志。
标准访问权限的含义:
· WRITE_DAC: 授予用户或组从自主 ACL (DACL)中添加 / 删除 / 修改访问控制项的能力。 事件日志的实际含义是允许攻击者在非特权上下文中执行授予攻击者自己对特定事件日志的读、写 或清除访问权操作。 它们还可以删除他们想要删除的任何其他用户或组的访问权限,例如,让其他用户无法读取事件日志。
· WRITE_OWNER: 允许用户 或 组拥有安全描述符的所有权。 此时用户或 组拥有完全的控制权限,但实际的攻击场景是将对象的所有权分配给一个无特权的攻击者,然后修改 DACL 以适应攻击者的需要。
本文不打算详尽列出所有攻击者可能操作授予的访问权限。 攻击者滥用授予的访问权限的程度取决于以下因素:
· 攻击者控制的特定对象
· 攻击者的具体目标
· 攻击者的创造力
安全描述符的审计方法
对于表示安全描述符审计的方式,我更喜欢的是对允许访问的用户 或 组的主体的访问权限进行分组。 例如,我特别想知道“ NT AUTHORITY\Authenticated Users”组(一个无特权的组)被授予了哪些事件日志访问权限。 下面是我编写的 PowerShell 代码:
让我们使用 PowerShell 看看授权的访问权限:
在检查了每个对象之后,我发现系统对“ NT AUTHORITY\INTERACTIVE”组授予的事件日志读写访问权限的数量最多:
> $PGrouping['NT AUTHORITY\INTERACTIVE'].LogFileRead.Count 415
现在,从攻击和研究的角度来看,将由你来确定哪些事件日志对于以“NT AUTHORITY\INTERACTIVE”身份运行的非特权攻击者具有特殊价值——即任何授予交互式登录令牌的用户。 例如,如果一个防御者正在捕获 PowerShell 脚本块日志,一个非特权用户已经拥有了读取所有 PowerShell 脚本内容的权限,包括在特权上下文中记录的内容,其中可能包括纯文本凭证。
最后,值得一提的是,由于事件日志的自定义安全描述符是作为注册表值应用的,因此你还需要确保与审计相关的注册表项的安全性,并确保非特权用户无法将自己的自定义安全描述符写入注册表。
合理化默认的安全描述符
基于我们之前对默认的安全描述符的研究结果,我还没有评估非特权用户具有读取大多数事件日志的能力所带来的风险,也许这至少可以解释为什么这么多日志被授予了他们所拥有的访问权限。 下面的代码用于列出所有应用了默认的“Application”隔离安全性的事件日志:
> $ApplicationEventLogsDefaultSDDL = 'O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)'
> Get-WinEvent -ListLog * | Where-Object { $_.SecurityDescriptor -eq $ApplicationEventLogsDefaultSDDL }
正如预期的那样,输出的应用程序事件日志中出现了几乎所有的事件日志。 了解了这些信息,无论是作为微软还是作为一个防御者,对那些被看作敏感的事件日志应用我们定制的、限制性更强的安全描述符可能是明智之举,比如“ Microsoft-Windows-PowerShell/Operational”日志。
对安全描述符 SACL 的研究
在我审计事件日志安全描述符的过程中,没有任何文档表明事件日志支持 SACL。 幸运的是,在内部函数 EvtCheckAccess 中有两个相关的代码片段: GetSecurityDescriptorSacl 和 AccessCheckAndAuditAlarm。
现在,既然知道了这里存在处理 SACL 的代码,那么我们就可以假设 SACL 是受支持的。 此时,我可以尝试将带有 SACL 的自定义安全描述符应用于事件日志,但是我很想先弄清楚“Channel”参数指向了什么。 后来,我发现这个参数指向的是以**册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\Security\ObjectNames
所以看起来这些都是支持 SACL 日志记录的对象类型! 我还确定,这些 DWORD 值指的是 msobjs.dll 中的消息表索引,事件日志在记录相关 SACL 访问权限时从中提取这些索引。 我写了一个粗略的脚本来提取这些值。 附录 B 中列出了所有受支持的可保护对象的转储消息字符串。例如,我提取出了以下与“ Channel”对象类型相关的消息字符串:
Channel read message Channel write message Channel query information Channel set information Undefined Access (no effect) Bit 4 Undefined Access (no effect) Bit 5 Undefined Access (no effect) Bit 6 Undefined Access (no effect) Bit 7 Undefined Access (no effect) Bit 8 Undefined Access (no effect) Bit 9 Undefined Access (no effect) Bit 10 Undefined Access (no effect) Bit 11 Undefined Access (no effect) Bit 12 Undefined Access (no effect) Bit 13 Undefined Access (no effect) Bit 14 Undefined Access (no effect) Bit 15
这些字符串应该也是有什么含义的,因为没有消息的1-3位,特定于对象的访问权限只能达到7(EVT_ALL_ACCESS) ,这是 111 的二进制形式,长度是三位。 但是,根据这些消息,并不能完全弄清楚哪些访问权限对应于“ Channel query information”和“ Channel set information”。 不管怎么样,至少现在有了这些知识,你就可以知道可以记录哪些SACL访问权限了!!
总结
我希望这篇文章能够有助于我突出说明审计事件日志安全描述符和任何安全对象类型的方法。 本文还应突出说明在文件不完整或不存在的情况下进行此类审计所面临的挑战。
作为另一个示例,我使用本文提出的方法来识别%windr% 下的所有可写的子目录。
我也使用本文提出的这种方法来理解、审计和发现 ETW 提供商和跟踪会话中的错误配置,我在2019年的 Recon 大会的演讲中提到过:
除了这些,还有很多安全对象类型值得研究!
最后,这篇文章是由 SpecterOps 和 Palantir 合作完成的。 通过这种伙伴关系分配的时间资源促进了我与你们分享这一信息,我对此表示感谢!
参考资料
附录 A: NT AUTHORITY\INTERACTIVE 可读可写事件日志
在撰写本文时,以下事件日志具有应用于它们的默认“Application”隔离安全描述符,从而导致非特权的“NT AUTHORITY\INTERACTIVE”组的成员具有读写权限。由读者决定这些事件日志可能包含或不包含有价值的或敏感的信息的程度。
授予读访问权限的事件日志:
AMSI/Operational Application ForwardedEvents HardwareEvents Key Management Service Microsoft-AppV-Client/Admin Microsoft-AppV-Client/Operational Microsoft-AppV-Client/Virtual Applications Microsoft-Client-Licensing-Platform/Admin Microsoft-User Experience Virtualization-Agent Driver/Operational Microsoft-User Experience Virtualization-App Agent/Operational Microsoft-User Experience Virtualization-IPC/Operational Microsoft-User Experience Virtualization-SQM Uploader/Operational Microsoft-Windows-AAD/Operational Microsoft-Windows-AllJoyn/Operational Microsoft-Windows-All-User-Install-Agent/Admin Microsoft-Windows-AppHost/Admin Microsoft-Windows-AppID/Operational Microsoft-Windows-ApplicabilityEngine/Operational Microsoft-Windows-Application Server-Applications/Admin Microsoft-Windows-Application Server-Applications/Operational Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter Microsoft-Windows-Application-Experience/Program-Inventory Microsoft-Windows-Application-Experience/Program-Telemetry Microsoft-Windows-Application-Experience/Steps-Recorder Microsoft-Windows-ApplicationResourceManagementSystem/Operational Microsoft-Windows-AppLocker/EXE and DLL Microsoft-Windows-AppLocker/MSI and Script Microsoft-Windows-AppLocker/Packaged app-Deployment Microsoft-Windows-AppLocker/Packaged app-Execution Microsoft-Windows-AppModel-Runtime/Admin Microsoft-Windows-AppReadiness/Admin Microsoft-Windows-AppReadiness/Operational Microsoft-Windows-AppXDeployment/Operational Microsoft-Windows-AppXDeploymentServer/Operational Microsoft-Windows-AppxPackaging/Operational Microsoft-Windows-AssignedAccess/Admin Microsoft-Windows-AssignedAccess/Operational Microsoft-Windows-AssignedAccessBroker/Admin Microsoft-Windows-AssignedAccessBroker/Operational Microsoft-Windows-Audio/CaptureMonitor Microsoft-Windows-Audio/GlitchDetection Microsoft-Windows-Audio/Informational Microsoft-Windows-Audio/Operational Microsoft-Windows-Audio/PlaybackManager Microsoft-Windows-Authentication User Interface/Operational Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController Microsoft-Windows-Authentication/ProtectedUser-Client Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController Microsoft-Windows-BackgroundTaskInfrastructure/Operational Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational Microsoft-Windows-Backup Microsoft-Windows-Base-Filtering-Engine-Connections/Operational Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational Microsoft-Windows-Biometrics/Operational Microsoft-Windows-BitLocker/BitLocker Management Microsoft-Windows-BitLocker/BitLocker Operational Microsoft-Windows-BitLocker-DrivePreparationTool/Admin Microsoft-Windows-BitLocker-DrivePreparationTool/Operational Microsoft-Windows-Bits-Client/Analytic Microsoft-Windows-Bits-Client/Operational Microsoft-Windows-Bluetooth-BthLEEnum/Operational Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational Microsoft-Windows-Bluetooth-Bthmini/Operational Microsoft-Windows-Bluetooth-MTPEnum/Operational Microsoft-Windows-Bluetooth-Policy/Operational Microsoft-Windows-BranchCache/Operational Microsoft-Windows-BranchCacheSMB/Operational Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational Microsoft-Windows-CertPoleEng/Operational Microsoft-Windows-CloudStorageWizard/Operational Microsoft-Windows-CloudStore/Debug Microsoft-Windows-CloudStore/Operational Microsoft-Windows-CodeIntegrity/Operational Microsoft-Windows-Compat-Appraiser/Operational Microsoft-Windows-Containers-BindFlt/Operational Microsoft-Windows-Containers-Wcifs/Operational Microsoft-Windows-Containers-Wcnfs/Operational Microsoft-Windows-CoreApplication/Operational Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational Microsoft-Windows-CorruptedFileRecovery-Client/Operational Microsoft-Windows-CorruptedFileRecovery-Server/Operational Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc Microsoft-Windows-Crypto-DPAPI/Debug Microsoft-Windows-Crypto-DPAPI/Operational Microsoft-Windows-DAL-Provider/Operational Microsoft-Windows-DataIntegrityScan/Admin Microsoft-Windows-DataIntegrityScan/CrashRecovery Microsoft-Windows-DateTimeControlPanel/Operational Microsoft-Windows-Deduplication/Diagnostic Microsoft-Windows-Deduplication/Operational Microsoft-Windows-Deduplication/Scrubbing Microsoft-Windows-DeviceGuard/Operational Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational Microsoft-Windows-Devices-Background/Operational Microsoft-Windows-DeviceSetupManager/Admin Microsoft-Windows-DeviceSetupManager/Operational Microsoft-Windows-DeviceSync/Operational Microsoft-Windows-DeviceUpdateAgent/Operational Microsoft-Windows-Dhcp-Client/Admin Microsoft-Windows-Dhcp-Client/Operational Microsoft-Windows-Dhcpv6-Client/Admin Microsoft-Windows-Dhcpv6-Client/Operational Microsoft-Windows-Diagnosis-DPS/Operational Microsoft-Windows-Diagnosis-PCW/Operational Microsoft-Windows-Diagnosis-PLA/Operational Microsoft-Windows-Diagnosis-Scheduled/Operational Microsoft-Windows-Diagnosis-Scripted/Admin Microsoft-Windows-Diagnosis-Scripted/Operational Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational Microsoft-Windows-Diagnostics-Networking/Operational Microsoft-Windows-DiskDiagnostic/Operational Microsoft-Windows-DiskDiagnosticDataCollector/Operational Microsoft-Windows-DiskDiagnosticResolver/Operational Microsoft-Windows-DisplayColorCalibration/Operational Microsoft-Windows-DNS-Client/Operational Microsoft-Windows-DriverFrameworks-UserMode/Operational Microsoft-Windows-DSC/Admin Microsoft-Windows-DSC/Operational Microsoft-Windows-DxgKrnl-Admin Microsoft-Windows-DxgKrnl-Operational Microsoft-Windows-EapHost/Operational Microsoft-Windows-EapMethods-RasChap/Operational Microsoft-Windows-EapMethods-RasTls/Operational Microsoft-Windows-EapMethods-Sim/Operational Microsoft-Windows-EapMethods-Ttls/Operational Microsoft-Windows-EDP-Application-Learning/Admin Microsoft-Windows-EDP-Audit-Regular/Admin Microsoft-Windows-EDP-Audit-TCB/Admin Microsoft-Windows-Energy-Estimation-Engine/EventLog Microsoft-Windows-ESE/Operational Microsoft-Windows-EventCollector/Operational Microsoft-Windows-Fault-Tolerant-Heap/Operational Microsoft-Windows-FeatureConfiguration/Operational Microsoft-Windows-FileHistory-Core/WHC Microsoft-Windows-FMS/Operational Microsoft-Windows-Folder Redirection/Operational Microsoft-Windows-Forwarding/Operational Microsoft-Windows-GenericRoaming/Admin Microsoft-Windows-glcnd/Admin Microsoft-Windows-HelloForBusiness/Operational Microsoft-Windows-HomeGroup Control Panel/Operational Microsoft-Windows-HomeGroup Listener Service/Operational Microsoft-Windows-HomeGroup Provider Service/Operational Microsoft-Windows-HostGuardianClient-Service/Admin Microsoft-Windows-HostGuardianClient-Service/Operational Microsoft-Windows-HostGuardianService-CA/Admin Microsoft-Windows-HostGuardianService-CA/Operational Microsoft-Windows-HostGuardianService-Client/Admin Microsoft-Windows-HostGuardianService-Client/Operational Microsoft-Windows-HotspotAuth/Operational Microsoft-Windows-HttpService/Log Microsoft-Windows-HttpService/Trace Microsoft-Windows-Hyper-V-Guest-Drivers/Admin Microsoft-Windows-Hyper-V-Guest-Drivers/Operational Microsoft-Windows-Hyper-V-VMSP-Admin Microsoft-Windows-Hyper-V-VmSwitch-Operational Microsoft-Windows-IdCtrls/Operational Microsoft-Windows-IKE/Operational Microsoft-Windows-International/Operational Microsoft-Windows-International-RegionalOptionsControlPanel/Operational Microsoft-Windows-Iphlpsvc/Operational Microsoft-Windows-IPxlatCfg/Operational Microsoft-Windows-KdsSvc/Operational Microsoft-Windows-Kerberos/Operational Microsoft-Windows-Kernel-ApphelpCache/Operational Microsoft-Windows-Kernel-Boot/Operational Microsoft-Windows-Kernel-EventTracing/Admin Microsoft-Windows-Kernel-IO/Operational Microsoft-Windows-Kernel-PnP/Configuration Microsoft-Windows-Kernel-Power/Thermal-Operational Microsoft-Windows-Kernel-ShimEngine/Operational Microsoft-Windows-Kernel-StoreMgr/Operational Microsoft-Windows-Kernel-WDI/Operational Microsoft-Windows-Kernel-WHEA/Errors Microsoft-Windows-Kernel-WHEA/Operational Microsoft-Windows-Known Folders API Service Microsoft-Windows-LanguagePackSetup/Operational Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational Microsoft-Windows-LSA/Operational Microsoft-Windows-MediaFoundation-Performance/SARStreamResource Microsoft-Windows-MemoryDiagnostics-Results/Debug Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService Microsoft-Windows-Mprddm/Operational Microsoft-Windows-MSPaint/Admin Microsoft-Windows-MUI/Admin Microsoft-Windows-MUI/Operational Microsoft-Windows-Ncasvc/Operational Microsoft-Windows-NcdAutoSetup/Operational Microsoft-Windows-NCSI/Operational Microsoft-Windows-NDIS/Operational Microsoft-Windows-NdisImPlatform/Operational Microsoft-Windows-NetworkLocationWizard/Operational Microsoft-Windows-NetworkProfile/Operational Microsoft-Windows-NetworkProvisioning/Operational Microsoft-Windows-NlaSvc/Operational Microsoft-Windows-Ntfs/Operational Microsoft-Windows-Ntfs/WHC Microsoft-Windows-NTLM/Operational Microsoft-Windows-OfflineFiles/Operational Microsoft-Windows-OneBackup/Debug Microsoft-Windows-OneX/Operational Microsoft-Windows-OOBE-Machine-DUI/Operational Microsoft-Windows-OtpCredentialProvider/Operational Microsoft-Windows-PackageStateRoaming/Operational Microsoft-Windows-Partition/Diagnostic Microsoft-Windows-PerceptionRuntime/Operational Microsoft-Windows-PerceptionSensorDataService/Operational Microsoft-Windows-PersistentMemory-Nvdimm/Operational Microsoft-Windows-PersistentMemory-PmemDisk/Operational Microsoft-Windows-PersistentMemory-ScmBus/Certification Microsoft-Windows-PersistentMemory-ScmBus/Operational Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel Microsoft-Windows-Policy/Operational Microsoft-Windows-PowerShell/Admin Microsoft-Windows-PowerShell/Operational Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational Microsoft-Windows-PrintBRM/Admin Microsoft-Windows-PrintService/Admin Microsoft-Windows-PrintService/Operational Microsoft-Windows-PriResources-Deployment/Operational Microsoft-Windows-Program-Compatibility-Assistant/Analytic Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService Microsoft-Windows-Proximity-Common/Diagnostic Microsoft-Windows-PushNotification-Platform/Admin Microsoft-Windows-PushNotification-Platform/Operational Microsoft-Windows-RasAgilev*n/Operational Microsoft-Windows-ReadyBoost/Operational Microsoft-Windows-ReadyBoostDriver/Operational Microsoft-Windows-ReFS/Operational Microsoft-Windows-Regsvr32/Operational Microsoft-Windows-RemoteApp and Desktop Connections/Admin Microsoft-Windows-RemoteApp and Desktop Connections/Operational Microsoft-Windows-RemoteAssistance/Admin Microsoft-Windows-RemoteAssistance/Operational Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsp/Admin Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational Microsoft-Windows-Remotefs-Rdbss/Operational Microsoft-Windows-Resource-Exhaustion-Detector/Operational Microsoft-Windows-Resource-Exhaustion-Resolver/Operational Microsoft-Windows-RestartManager/Operational Microsoft-Windows-RetailDemo/Admin Microsoft-Windows-RetailDemo/Operational Microsoft-Windows-RRAS/Operational Microsoft-Windows-SearchUI/Operational Microsoft-Windows-SecureAssessment/Operational Microsoft-Windows-Security-Adminless/Operational Microsoft-Windows-Security-Audit-Configuration-Client/Operational Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational Microsoft-Windows-Security-IdentityListener/Operational Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational Microsoft-Windows-Security-Mitigations/KernelMode Microsoft-Windows-Security-Mitigations/UserMode Microsoft-Windows-SecurityMitigationsBroker/Admin Microsoft-Windows-SecurityMitigationsBroker/Operational Microsoft-Windows-Security-Netlogon/Operational Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter Microsoft-Windows-Security-UserConsentVerifier/Audit Microsoft-Windows-SENSE/Operational Microsoft-Windows-SenseIR/Operational Microsoft-Windows-ServiceReportingApi/Debug Microsoft-Windows-SettingSync/Debug Microsoft-Windows-SettingSync/Operational Microsoft-Windows-SettingSync-Azure/Debug Microsoft-Windows-SettingSync-Azure/Operational Microsoft-Windows-SettingSync-OneDrive/Debug Microsoft-Windows-SettingSync-OneDrive/Operational Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter Microsoft-Windows-Shell-Core/ActionCenter Microsoft-Windows-Shell-Core/AppDefaults Microsoft-Windows-Shell-Core/LogonTasksChannel Microsoft-Windows-Shell-Core/Operational Microsoft-Windows-SmartCard-Audit/Authentication Microsoft-Windows-SmartCard-DeviceEnum/Operational Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational Microsoft-Windows-SmartScreen/Debug Microsoft-Windows-SMBDirect/Admin Microsoft-Windows-SMBWitnessClient/Admin Microsoft-Windows-SMBWitnessClient/Informational Microsoft-Windows-StateRepository/Operational Microsoft-Windows-Storage-ATAPort/Admin Microsoft-Windows-Storage-ATAPort/Operational Microsoft-Windows-Storage-ClassPnP/Admin Microsoft-Windows-Storage-ClassPnP/Operational Microsoft-Windows-Storage-Disk/Admin Microsoft-Windows-Storage-Disk/Operational Microsoft-Windows-StorageManagement/Operational Microsoft-Windows-StorageSpaces-Driver/Diagnostic Microsoft-Windows-StorageSpaces-Driver/Operational Microsoft-Windows-StorageSpaces-ManagementAgent/WHC Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic Microsoft-Windows-StorageSpaces-SpaceManager/Operational Microsoft-Windows-Storage-Storport/Admin Microsoft-Windows-Storage-Storport/Health Microsoft-Windows-Storage-Storport/Operational Microsoft-Windows-Storage-Tiering/Admin Microsoft-Windows-Store/Operational Microsoft-Windows-Storsvc/Diagnostic Microsoft-Windows-SystemSettingsThreshold/Operational Microsoft-Windows-TaskScheduler/Maintenance Microsoft-Windows-TaskScheduler/Operational Microsoft-Windows-TCPIP/Operational Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational Microsoft-Windows-TerminalServices-LocalSessionManager/Admin Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Microsoft-Windows-TerminalServices-PnPDevices/Admin Microsoft-Windows-TerminalServices-PnPDevices/Operational Microsoft-Windows-TerminalServices-Printers/Admin Microsoft-Windows-TerminalServices-Printers/Operational Microsoft-Windows-TerminalServices-RDPClient/Operational Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational Microsoft-Windows-Time-Service/Operational Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational Microsoft-Windows-Troubleshooting-Recommended/Admin Microsoft-Windows-Troubleshooting-Recommended/Operational Microsoft-Windows-TWinUI/Operational Microsoft-Windows-TZSync/Operational Microsoft-Windows-TZUtil/Operational Microsoft-Windows-UAC/Operational Microsoft-Windows-UniversalTelemetryClient/Operational Microsoft-Windows-User Control Panel/Operational Microsoft-Windows-User Device Registration/Admin Microsoft-Windows-User Profile Service/Operational Microsoft-Windows-User-Loader/Operational Microsoft-Windows-UserPnp/ActionCenter Microsoft-Windows-UserPnp/DeviceInstall Microsoft-Windows-VDRVROOT/Operational Microsoft-Windows-VerifyHardwareSecurity/Admin Microsoft-Windows-VerifyHardwareSecurity/Operational Microsoft-Windows-VHDMP-Operational Microsoft-Windows-Volume/Diagnostic Microsoft-Windows-VolumeSnapshot-Driver/Operational Microsoft-Windows-v*n/Operational Microsoft-Windows-v*n-Client/Operational Microsoft-Windows-Wcmsvc/Operational Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational Microsoft-Windows-WDAG-PolicyEvaluator-GP/Operational Microsoft-Windows-WDAG-Service/Operational Microsoft-Windows-WebAuth/Operational Microsoft-Windows-WebAuthN/Operational Microsoft-Windows-WebIO-NDF/Diagnostic Microsoft-Windows-WEPHOSTSVC/Operational Microsoft-Windows-WER-PayloadHealth/Operational Microsoft-Windows-WFP/Operational Microsoft-Windows-Win32k/Operational Microsoft-Windows-Windows Defender/Operational Microsoft-Windows-Windows Defender/WHC Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose Microsoft-Windows-WindowsBackup/ActionCenter Microsoft-Windows-WindowsColorSystem/Operational Microsoft-Windows-WindowsSystemAssessmentTool/Operational Microsoft-Windows-WindowsUIImmersive/Operational Microsoft-Windows-WindowsUpdateClient/Operational Microsoft-Windows-WinHTTP-NDF/Diagnostic Microsoft-Windows-WinINet-Capture/Analytic Microsoft-Windows-WinINet-Config/ProxyConfigChanged Microsoft-Windows-Winlogon/Operational Microsoft-Windows-WinNat/Oper Microsoft-Windows-WinRM/Operational Microsoft-Windows-Winsock-AFD/Operational Microsoft-Windows-Winsock-NameResolution/Operational Microsoft-Windows-Winsock-WS2HELP/Operational Microsoft-Windows-Wired-AutoConfig/Operational Microsoft-Windows-WLAN-AutoConfig/Operational Microsoft-Windows-WMI-Activity/Operational Microsoft-Windows-WMPNSS-Service/Operational Microsoft-Windows-Wordpad/Admin Microsoft-Windows-WorkFolders/Operational Microsoft-Windows-WorkFolders/WHC Microsoft-Windows-Workplace Join/Admin Microsoft-Windows-WPD-ClassInstaller/Operational Microsoft-Windows-WPD-CompositeClassDriver/Operational Microsoft-Windows-WPD-MTPClassDriver/Operational Microsoft-Windows-WWAN-SVC-Events/Operational OpenSSH/Admin OpenSSH/Operational RemoteDesktopServices-RemoteFX-SessionLicensing-Admin RemoteDesktopServices-RemoteFX-SessionLicensing-Operational Setup SMSApi System Windows PowerShell
授予写访问权限的事件日志:
AMSI/Operational Application ForwardedEvents HardwareEvents Key Management Service Microsoft-AppV-Client/Virtual Applications Microsoft-Client-Licensing-Platform/Admin Microsoft-User Experience Virtualization-App Agent/Operational Microsoft-User Experience Virtualization-IPC/Operational Microsoft-User Experience Virtualization-SQM Uploader/Operational Microsoft-Windows-AAD/Operational Microsoft-Windows-AllJoyn/Operational Microsoft-Windows-All-User-Install-Agent/Admin Microsoft-Windows-AppHost/Admin Microsoft-Windows-ApplicabilityEngine/Operational Microsoft-Windows-Application Server-Applications/Admin Microsoft-Windows-Application Server-Applications/Operational Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter Microsoft-Windows-Application-Experience/Program-Inventory Microsoft-Windows-Application-Experience/Program-Telemetry Microsoft-Windows-Application-Experience/Steps-Recorder Microsoft-Windows-ApplicationResourceManagementSystem/Operational Microsoft-Windows-AppLocker/MSI and Script Microsoft-Windows-AppLocker/Packaged app-Deployment Microsoft-Windows-AppModel-Runtime/Admin Microsoft-Windows-AppReadiness/Admin Microsoft-Windows-AppReadiness/Operational Microsoft-Windows-AppXDeployment/Operational Microsoft-Windows-AppXDeploymentServer/Operational Microsoft-Windows-AppxPackaging/Operational Microsoft-Windows-AssignedAccess/Admin Microsoft-Windows-AssignedAccess/Operational Microsoft-Windows-AssignedAccessBroker/Admin Microsoft-Windows-AssignedAccessBroker/Operational Microsoft-Windows-Audio/PlaybackManager Microsoft-Windows-Authentication User Interface/Operational Microsoft-Windows-BackgroundTaskInfrastructure/Operational Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational Microsoft-Windows-Base-Filtering-Engine-Connections/Operational Microsoft-Windows-BitLocker/BitLocker Management Microsoft-Windows-BitLocker/BitLocker Operational Microsoft-Windows-Bits-Client/Analytic Microsoft-Windows-BranchCache/Operational Microsoft-Windows-BranchCacheSMB/Operational Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational Microsoft-Windows-CertPoleEng/Operational Microsoft-Windows-CloudStorageWizard/Operational Microsoft-Windows-CloudStore/Debug Microsoft-Windows-CloudStore/Operational Microsoft-Windows-Compat-Appraiser/Operational Microsoft-Windows-CoreApplication/Operational Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational Microsoft-Windows-CorruptedFileRecovery-Client/Operational Microsoft-Windows-DAL-Provider/Operational Microsoft-Windows-DataIntegrityScan/Admin Microsoft-Windows-DataIntegrityScan/CrashRecovery Microsoft-Windows-DateTimeControlPanel/Operational Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational Microsoft-Windows-Devices-Background/Operational Microsoft-Windows-DeviceSync/Operational Microsoft-Windows-Dhcp-Client/Admin Microsoft-Windows-Dhcp-Client/Operational Microsoft-Windows-Dhcpv6-Client/Admin Microsoft-Windows-Dhcpv6-Client/Operational Microsoft-Windows-Diagnosis-PCW/Operational Microsoft-Windows-Diagnosis-PLA/Operational Microsoft-Windows-Diagnosis-Scheduled/Operational Microsoft-Windows-Diagnosis-Scripted/Admin Microsoft-Windows-Diagnosis-Scripted/Operational Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational Microsoft-Windows-Diagnostics-Networking/Operational Microsoft-Windows-DiskDiagnosticResolver/Operational Microsoft-Windows-DisplayColorCalibration/Operational Microsoft-Windows-DNS-Client/Operational Microsoft-Windows-DSC/Admin Microsoft-Windows-DSC/Operational Microsoft-Windows-EapHost/Operational Microsoft-Windows-EapMethods-RasChap/Operational Microsoft-Windows-EapMethods-RasTls/Operational Microsoft-Windows-EapMethods-Sim/Operational Microsoft-Windows-EapMethods-Ttls/Operational Microsoft-Windows-EDP-Application-Learning/Admin Microsoft-Windows-EDP-Audit-Regular/Admin Microsoft-Windows-EDP-Audit-TCB/Admin Microsoft-Windows-Energy-Estimation-Engine/EventLog Microsoft-Windows-ESE/Operational Microsoft-Windows-FeatureConfiguration/Operational Microsoft-Windows-FileHistory-Core/WHC Microsoft-Windows-Folder Redirection/Operational Microsoft-Windows-Forwarding/Operational Microsoft-Windows-GenericRoaming/Admin Microsoft-Windows-glcnd/Admin Microsoft-Windows-HelloForBusiness/Operational Microsoft-Windows-HomeGroup Control Panel/Operational Microsoft-Windows-HomeGroup Listener Service/Operational Microsoft-Windows-HomeGroup Provider Service/Operational Microsoft-Windows-HostGuardianClient-Service/Admin Microsoft-Windows-HostGuardianClient-Service/Operational Microsoft-Windows-HostGuardianService-CA/Admin Microsoft-Windows-HostGuardianService-CA/Operational Microsoft-Windows-HostGuardianService-Client/Admin Microsoft-Windows-HostGuardianService-Client/Operational Microsoft-Windows-HotspotAuth/Operational Microsoft-Windows-HttpService/Log Microsoft-Windows-HttpService/Trace Microsoft-Windows-IdCtrls/Operational Microsoft-Windows-International/Operational Microsoft-Windows-International-RegionalOptionsControlPanel/Operational Microsoft-Windows-Iphlpsvc/Operational Microsoft-Windows-IPxlatCfg/Operational Microsoft-Windows-Kernel-ApphelpCache/Operational Microsoft-Windows-Known Folders API Service Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational Microsoft-Windows-MediaFoundation-Performance/SARStreamResource Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService Microsoft-Windows-Mprddm/Operational Microsoft-Windows-MSPaint/Admin Microsoft-Windows-Ncasvc/Operational Microsoft-Windows-NcdAutoSetup/Operational Microsoft-Windows-NCSI/Operational Microsoft-Windows-NDIS/Operational Microsoft-Windows-NetworkLocationWizard/Operational Microsoft-Windows-NetworkProfile/Operational Microsoft-Windows-NetworkProvisioning/Operational Microsoft-Windows-NlaSvc/Operational Microsoft-Windows-OfflineFiles/Operational Microsoft-Windows-OneBackup/Debug Microsoft-Windows-OneX/Operational Microsoft-Windows-OOBE-Machine-DUI/Operational Microsoft-Windows-OtpCredentialProvider/Operational Microsoft-Windows-PackageStateRoaming/Operational Microsoft-Windows-PerceptionRuntime/Operational Microsoft-Windows-PerceptionSensorDataService/Operational Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel Microsoft-Windows-PowerShell/Admin Microsoft-Windows-PowerShell/Operational Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational Microsoft-Windows-PrintBRM/Admin Microsoft-Windows-PrintService/Admin Microsoft-Windows-PrintService/Operational Microsoft-Windows-PriResources-Deployment/Operational Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService Microsoft-Windows-Proximity-Common/Diagnostic Microsoft-Windows-PushNotification-Platform/Admin Microsoft-Windows-PushNotification-Platform/Operational Microsoft-Windows-RasAgilev*n/Operational Microsoft-Windows-ReadyBoost/Operational Microsoft-Windows-Regsvr32/Operational Microsoft-Windows-RemoteApp and Desktop Connections/Admin Microsoft-Windows-RemoteApp and Desktop Connections/Operational Microsoft-Windows-RemoteAssistance/Admin Microsoft-Windows-RemoteAssistance/Operational Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational Microsoft-Windows-Remotefs-Rdbss/Operational Microsoft-Windows-Resource-Exhaustion-Resolver/Operational Microsoft-Windows-RestartManager/Operational Microsoft-Windows-RetailDemo/Admin Microsoft-Windows-RetailDemo/Operational Microsoft-Windows-RRAS/Operational Microsoft-Windows-SearchUI/Operational Microsoft-Windows-SecureAssessment/Operational Microsoft-Windows-Security-Audit-Configuration-Client/Operational Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational Microsoft-Windows-Security-IdentityListener/Operational Microsoft-Windows-Security-Mitigations/UserMode Microsoft-Windows-SecurityMitigationsBroker/Admin Microsoft-Windows-SecurityMitigationsBroker/Operational Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter Microsoft-Windows-SENSE/Operational Microsoft-Windows-SenseIR/Operational Microsoft-Windows-SettingSync/Debug Microsoft-Windows-SettingSync/Operational Microsoft-Windows-SettingSync-Azure/Debug Microsoft-Windows-SettingSync-Azure/Operational Microsoft-Windows-SettingSync-OneDrive/Debug Microsoft-Windows-SettingSync-OneDrive/Operational Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter Microsoft-Windows-Shell-Core/ActionCenter Microsoft-Windows-Shell-Core/AppDefaults Microsoft-Windows-Shell-Core/LogonTasksChannel Microsoft-Windows-Shell-Core/Operational Microsoft-Windows-SmartCard-Audit/Authentication Microsoft-Windows-SmartCard-DeviceEnum/Operational Microsoft-Windows-SmartScreen/Debug Microsoft-Windows-SMBWitnessClient/Admin Microsoft-Windows-SMBWitnessClient/Informational Microsoft-Windows-StateRepository/Operational Microsoft-Windows-StorageManagement/Operational Microsoft-Windows-StorageSpaces-ManagementAgent/WHC Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic Microsoft-Windows-StorageSpaces-SpaceManager/Operational Microsoft-Windows-Storage-Tiering/Admin Microsoft-Windows-Store/Operational Microsoft-Windows-SystemSettingsThreshold/Operational Microsoft-Windows-TaskScheduler/Maintenance Microsoft-Windows-TaskScheduler/Operational Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational Microsoft-Windows-TerminalServices-LocalSessionManager/Admin Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Microsoft-Windows-TerminalServices-PnPDevices/Admin Microsoft-Windows-TerminalServices-PnPDevices/Operational Microsoft-Windows-TerminalServices-Printers/Admin Microsoft-Windows-TerminalServices-Printers/Operational Microsoft-Windows-TerminalServices-RDPClient/Operational Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational Microsoft-Windows-Time-Service/Operational Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational Microsoft-Windows-Troubleshooting-Recommended/Admin Microsoft-Windows-Troubleshooting-Recommended/Operational Microsoft-Windows-TWinUI/Operational Microsoft-Windows-TZSync/Operational Microsoft-Windows-TZUtil/Operational Microsoft-Windows-UAC/Operational Microsoft-Windows-UniversalTelemetryClient/Operational Microsoft-Windows-User Control Panel/Operational Microsoft-Windows-User Device Registration/Admin Microsoft-Windows-User Profile Service/Operational Microsoft-Windows-User-Loader/Operational Microsoft-Windows-UserPnp/ActionCenter Microsoft-Windows-UserPnp/DeviceInstall Microsoft-Windows-VerifyHardwareSecurity/Admin Microsoft-Windows-VerifyHardwareSecurity/Operational Microsoft-Windows-v*n-Client/Operational Microsoft-Windows-Wcmsvc/Operational Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational Microsoft-Windows-WDAG-PolicyEvaluator-GP/Operational Microsoft-Windows-WDAG-Service/Operational Microsoft-Windows-WebAuth/Operational Microsoft-Windows-WebAuthN/Operational Microsoft-Windows-WebIO-NDF/Diagnostic Microsoft-Windows-WEPHOSTSVC/Operational Microsoft-Windows-WER-PayloadHealth/Operational Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose Microsoft-Windows-WindowsColorSystem/Operational Microsoft-Windows-WindowsSystemAssessmentTool/Operational Microsoft-Windows-WindowsUIImmersive/Operational Microsoft-Windows-WinHTTP-NDF/Diagnostic Microsoft-Windows-WinINet-Capture/Analytic Microsoft-Windows-WinINet-Config/ProxyConfigChanged Microsoft-Windows-Winlogon/Operational Microsoft-Windows-WinRM/Operational Microsoft-Windows-Winsock-NameResolution/Operational Microsoft-Windows-Wired-AutoConfig/Operational Microsoft-Windows-WLAN-AutoConfig/Operational Microsoft-Windows-WMI-Activity/Operational Microsoft-Windows-WMPNSS-Service/Operational Microsoft-Windows-Wordpad/Admin Microsoft-Windows-WorkFolders/Operational Microsoft-Windows-WorkFolders/WHC Microsoft-Windows-Workplace Join/Admin Microsoft-Windows-WWAN-SVC-Events/Operational OpenSSH/Admin OpenSSH/Operational RemoteDesktopServices-RemoteFX-SessionLicensing-Admin RemoteDesktopServices-RemoteFX-SessionLicensing-Operational Setup SMSApi Windows PowerShell
附录 B: 支持安全对象的 SACL 审计消息
我在上面提到过,包含在 msobjs.dll 中的字符串可以提供一些有价值的信息,说明了哪些可保护对象支持 SACL 审计。 我提取了所有受支持的消息,并根据下面列表中的 securityobject 对它们进行分组。 希望这可以激发你在环境中应用目标 SACL 的兴趣,作为补充总体检测态势的一种方法。
ALPC 端口:
Communicate using port Channel: Channel read message Channel write message Channel query information Channel set information
桌面:
Read Objects Create window Create menu Hook control Journal (record) Journal (playback) Include this desktop in enumerations Write objects Switch to this desktop
设备:
Device Access Bit 0 Device Access Bit 1 Device Access Bit 2 Device Access Bit 3 Device Access Bit 4 Device Access Bit 5 Device Access Bit 6 Device Access Bit 7 Device Access Bit 8
目录:
Query directory Traverse Create object in directory Create sub-directory
事件:
Query event state Modify event state File, MailSlot, and NamedPipe: ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA Execute/Traverse DeleteChild ReadAttributes WriteAttributes IoCompletion: Query State Modify State
Job:
Assign process Set Attributes Query Attributes Terminate Job Set Security Attributes
Key:
Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Create Link Undefined Access (no effect) Bit 6 Undefined Access (no effect) Bit 7 Enable 64(or 32) bit application to open 64 bit key Enable 64(or 32) bit application to open 32 bit key
KeyedEvent:
KeyedEvent Wait KeyedEvent Wake
Mutant:
Query mutant state
Port and WaitablePort:
Communicate using port
进程:
Force process termination Create new thread in process Set process session ID Perform virtual memory operation Read from process memory Write to process memory Duplicate handle into or out of process Create a subprocess of process Set process quotas Set process information Query process information Set process termination port
Profile:
Control profile
Section:
Query section state Map section for write Map section for read Map section for execute Extend size
Semaphore:
Query semaphore state Modify semaphore state
符号链接:
Use symbolic link
线程:
Force thread termination Suspend or resume thread Send an alert to thread Get thread context Set thread context Set thread information Query thread information Assign a token to the thread Cause thread to directly impersonate another thread Directly impersonate this thread
计时器:
Query timer state Modify timer state Token: AssignAsPrimary Duplicate Impersonate Query QuerySource AdjustPrivileges AdjustGroups AdjustDefaultDacl AdjustSessionID
类型:
Create instance of object type WindowsStation: Enumerate desktops Read attributes Access Clipboard Create desktop Write attributes Access global atoms Exit windows Unused Access Flag Include this windowstation in enumerations Read screen
WMI 名称空间:
Enable WMI Account Execute Method Full Write Partial Write Provider Write Remote Access Subscribe Publis