4625 해킹 이벤트 발생 할때 netstat 하기 작업 스케줄러 이벤트뷰어 txt

set CURRENT_USER=%USERNAME% schtasks /create /sc ONEVENT /tn "이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob > d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"<hr data-ke-style="style3">REM 계속 추가하기 왼만 하면 이걸 쓰세요.set CURRENT_USER=%USERNAME% schtasks /create /sc ONEVENT /tn "이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" <hr data-ke-style="style3">REM 더욱 완성작 현재 시간 넣기set CURRENT_USER=%USERNAME% schtasks /create /sc ONEVENT /tn "이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && time /t >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"<hr data-ke-style="style3">REM 여기서 부터 보세요 날짜 시간 포함 하기set CURRENT_USER=%USERNAME% schtasks /create /sc ONEVENT /tn "이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && date /t >> d:\txt2.txt && time /t >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" <a href="https://youtu.be/-HQzI1T9toQ" target="_blank" class="ke-link">https://youtu.be/-HQzI1T9toQ</a><div class="figure-video" data-ke-type="video" data-video-url="https://www.youtube.com/watch?v=-HQzI1T9toQ" data-video-host="youtube" data-video-play-service="daum_cafe" data-video-width="851" data-video-height="479" data-ke-style="alignCenter" data-video-thumbnail="https://scrap.kakaocdn.net/dn/RAybc/hySWqFoSfu/yX7Zz5nFmXKK4TaUkODli1/img.jpg?width=1280&height=720&face=0_0_1280_720" data-ke-mobile-mobileStyle="widthContent" data-video-origin-width="851" data-video-origin-height="479"><iframe src="https://www.youtube.com/embed/-HQzI1T9toQ" width="851" height="479" frameborder="0" scrolling="no" allowfullscreen=""></iframe><div class="figcaption"></div></div>  REM 초 단위 추가 하기schtasks /Create /SC ONEVENT /TN "EventLogTask" /TR "powershell.exe -Command Add-Content -Path 'D:\txt2.txt' -Value (Get-Date)" /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" REM "위치 알아서 찾아서 등록 해주기 이게 더 정확 하다 <a href="https://cafe.daum.net/candan/GGFN/512" target="_blank" class="ke-link">https://cafe.daum.net/candan/GGFN/512</a>" for /f "delims=" %a in ('dir /a-d /b /o /s "%SystemRoot%\System32\WindowsPowerShell\powershell.exe"') do (schtasks /Create /SC ONEVENT /TN "해킹 차단" /TR ""%a" -Command Add-Content -Path 'D:\txt2.txt' -Value (Get-Date)" /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" /f )  <hr data-ke-style="style3">REM "여기 부터 보세요 2 결론 이걸 사용 하면 된다"REM "4625 감사실패시에 이벤트 d:\txt2.txt 에 기록 하기" set CURRENT_USER=%USERNAME% schtasks /create /sc ONEVENT /tn "해킹 차단1" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && date /t >> d:\txt2.txt && time /t >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" REM "같은 조건으로 초 단위 까지 기록 하기" for /f "delims=" %a in ('dir /a-d /b /o /s "%SystemRoot%\System32\WindowsPowerShell\powershell.exe"') do (schtasks /Create /SC ONEVENT /TN "해킹 차단2" /TR ""%a" -Command Add-Content -Path 'D:\txt2.txt' -Value (Get-Date)" /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" /f )  <a href="https://youtu.be/Lr_H-Or4UYI" target="_blank" class="ke-link">https://youtu.be/Lr_H-Or4UYI</a><hr data-ke-style="style3">REM 삭제의 경우 <a href="https://cafe.daum.net/candan/ASdB/429" target="_blank" class="ke-link">https://cafe.daum.net/candan/ASdB/429</a> 기타 감사 등록 schtasks /delete /tn "이벤트_뷰어_작업" /fschtasks /delete /tn "해킹 차단1" /fschtasks /delete /tn "해킹 차단2" /f <hr data-ke-style="style3"> schtasks /create /sc ONEVENT /tn "이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob > d:\txt2.txt" /rl HIGHEST /ru "PC\i홍길동" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" echo %USERDOMAIN%\%USERNAME%이렇게 하면 PC 이름도 나온다 <hr data-ke-style="style3">네, 해당 스크립트를 실행하면 4625 감사실패 이벤트가 발생할 때마다 자동으로 `netstat -anob`의 결과가 `d:\txt.txt`로 저장됩니다.  아래는 수정한 스크립트입니다: ```shell set CURRENT_USER=%USERDOMAIN%\%USERNAME% schtasks /create /sc ONEVENT /tn "이벤트_뷰어_작업" /tr "%windir%\System32\cmd.exe /c netstat -anob > d:\txt.txt" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" ``` 위 스크립트를 실행하면 이벤트 4625 감사실패가 발생할 때마다 `netstat -anob` 명령의 결과가 `d:\txt.txt`로 저장됩니다. 사용자 이름은 "PC\i홍길동"와 같은 형식으로 출력되며, 사용자 이름과 호스트 이름이 함께 저장됩니다.<hr data-ke-style="style3"><div class="figure-file" data-ke-type="file" data-file-src="https://t1.daumcdn.net/cafeattach/1HRzv/e0255d2bc2c1d718e2474bb9aa42901040d49fe6?download" data-file-name="11.txt" data-file-size="1957" data-mimetype="text/plain" data-ke-align="alignCenter"><a href="javascript:checkVirus('grpid%3D1HRzv%26fldid%3DBLQD%26dataid%3D112%26fileid%3D1%26regdt%3D20230611124911&url=https%3A%2F%2Ft1.daumcdn.net%2Fcafeattach%2F1HRzv%2Fe0255d2bc2c1d718e2474bb9aa42901040d49fe6')"><div class="image"></div><div class="desc"><div class="filename">11.txt</div><div class="size">1.91KB</div></div></a></div>현재 날짜 시간을 넣고 싶었는대 불가능 한가 보내요 ㅠ<a href="https://cafe.daum.net/candan/GGFN/511" target="_blank" class="ke-link">https://cafe.daum.net/candan/GGFN/511</a>            <a href="https://www.igloo.co.kr/security-information/%EC%9B%90%EA%B2%A9-%EB%8D%B0%EC%8A%A4%ED%81%AC%ED%86%B1rdp-%EC%95%85%EC%9A%A9-%EC%B9%A8%ED%95%B4%EC%82%AC%EA%B3%A0-%EC%9D%B4%EB%B2%A4%ED%8A%B8-%EB%A1%9C%EA%B7%B8-%EB%B6%84%EC%84%9D/" target="_blank" class="ke-link">https://www.igloo.co.kr/security-information/%EC%9B%90%EA%B2%A9-%EB%8D%B0%EC%8A%A4%ED%81%AC%ED%86%B1rdp-%EC%95%85%EC%9A%A9-%EC%B9%A8%ED%95%B4%EC%82%AC%EA%B3%A0-%EC%9D%B4%EB%B2%A4%ED%8A%B8-%EB%A1%9C%EA%B7%B8-%EB%B6%84%EC%84%9D/</a>로그인 공격 받을 경우 로그 분석