https://cafe.daum.net/candan/GGFN/509 설명
https://cafe.daum.net/candan/BLQD/111 권한 차단
https://cafe.daum.net/candan/Lrrk/20 순서
netsh advfirewall firewall add rule name="Block and Log wlrmdr.exe (Inbound)" dir=in program="%SystemRoot%\system32\wlrmdr.exe" action=block enable=yes profile=any
netsh advfirewall firewall add rule name="Block and Log wlrmdr.exe (Outbound)" dir=out program="%SystemRoot%\system32\wlrmdr.exe" action=block enable=yes profile=any
netsh advfirewall firewall add rule name="Block and Log PickerHost.exe (Inbound)" dir=in program="%SystemRoot%\system32\PickerHost.exe" action=block enable=yes profile=any
netsh advfirewall firewall add rule name="Block and Log PickerHost.exe (Outbound)" dir=out program="%SystemRoot%\system32\PickerHost.exe" action=block enable=yes profile=any
REM net user 국가 코드 정하기 https://cafe.daum.net/candan/Lrrk/21
net user Administrator /countrycode:82
net user DefaultAccount /countrycode:82
net user Guest /countrycode:82
net user WDAGUtilityAccount /countrycode:82
net user "홍길동" /countrycode:82
REM "https://cafe.daum.net/candan/BLQD/112"
REM "해킹 시도 할 경우 ip 그때 ip 적어보기"
REM set CURRENT_USER=%USERNAME%
REM schtasks /create /sc ONEVENT /tn "해킹 시도 IP 찾아 보기 이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"
REM 삭제 할때
REM schtasks /delete /tn "해킹 기도 IP 찾아 보기 이벤트_뷰어_작업" /f
REM "해킹 시도 할 경우 ip 그때 ip 적어보기 날짜 시간 추가 한 부분 입니다"
REM set CURRENT_USER=%USERNAME%
REM schtasks /create /sc ONEVENT /tn "해킹 시도 IP 찾아 보기 이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && date /t >> d:\txt2.txt && time /t >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"
REM 삭제 할때
REM schtasks /delete /tn "해킹 기도 IP 찾아 보기 이벤트_뷰어_작업" /f
REM "https://cafe.daum.net/candan/BLQD/112"
REM "4625 감사실패시에 이벤트 d:\txt2.txt 에 기록 하기"
set CURRENT_USER=%USERNAME%
schtasks /create /sc ONEVENT /tn "해킹 차단1" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && date /t >> d:\txt2.txt && time /t >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"
REM "같은 조건으로 초 단위 까지 기록 하기"
for /f "delims=" %a in ('dir /a-d /b /o /s "%SystemRoot%\System32\WindowsPowerShell\powershell.exe"') do (schtasks /Create /SC ONEVENT /TN "해킹 차단2" /TR ""%a" -Command Add-Content -Path 'D:\txt2.txt' -Value (Get-Date)" /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" /f )
REM schtasks /delete /tn "해킹 차단1" /f
REM schtasks /delete /tn "해킹 차단2" /f
첫댓글 ip 알려준 방법
netsh advfirewall firewall add rule name="Block and Log wlrmdr.exe (Inbound)" dir=in program="%SystemRoot%\system32\wlrmdr.exe" action=block enable=yes profile=any log=yes
netsh advfirewall firewall add rule name="Block and Log wlrmdr.exe (Outbound)" dir=out program="%SystemRoot%\system32\wlrmdr.exe" action=block enable=yes profile=any log=yes
한대 log는 안된다