Advapi {00000000-0000-0000-0000-000000000000} 서비스 로그온

[동우]

https://docs.microsoft.com/ko-kr/windows/security/threat-protection/auditing/event-4672

https://docs.microsoft.com/ko-kr/system-center/scom/enable-service-logon?view=sc-om-2022 

secpol.msc
gpedit.msc

https://docs.microsoft.com/ko-kr/windows/security/identity-protection/access-control/security-identifiers

https://docs.microsoft.com/ko-kr/windows/security/threat-protection/security-policy-settings/log-on-as-a-service    

https://cafe.daum.net/candan/AurF/106   

SeServiceLogonRight

SeServiceLogonRight = *S-1-5-80-0

echo 원본 모든 프로세스 허용

SeServiceLogonRight = *S-1-5-20

echo 수정 네트워크 서비스로 제한 하기 

echo 내보내기 
md d:\secedit 
secedit /export /cfg d:\secedit\cfg.ini > nul

tar -cvzf secedit.zip d:\secedit
echo 만약을 위해 압축 하기

notepad d:\secedit\cfg.ini
echo 수정하기

echo 적용하기
secedit /configure /db test.sdb /cfg d:\secedit\cfg.ini

https://superuser.com/questions/1574474/how-to-tell-which-service-or-task-caused-a-certain-4624-logon-event   

S-1-5-17 기본 IIS 사용자
S-1-5-32-568 IIS 구릅 Builtin\IIS_IUSRS

echo Advapi 해킹 의심  "*S-1-0-0" 를 등록 하면 지문인식이 안된다
icacls "%windir%\System32\services.exe" 
takeown /F "%windir%\System32\services.exe" /A
icacls "%windir%\System32\services.exe" /grant Administrators:F
icacls "%windir%\System32\services.exe" /setintegritylevel H
icacls "%windir%\System32\services.exe" /deny "*S-1-5-32-568:F" "*S-1-5-17:F" "Guest:F" "*S-1-5-32-546:F" "*S-1-5-7:F"
icacls "%windir%\System32\services.exe" /setowner "NT SERVICE\TrustedInstaller" 
icacls "%windir%\System32\services.exe" /grant:r Administrators:RX
icacls "%windir%\System32\services.exe" 

echo 등록한거 삭제 
takeown /F "%windir%\System32\services.exe" /A
icacls "%windir%\System32\services.exe" /grant Administrators:F
icacls "%windir%\System32\services.exe" /remove "*S-1-5-32-568" "*S-1-5-17" "Guest" "*S-1-5-32-546" "*S-1-5-7"
icacls "%windir%\System32\services.exe" /setowner "NT SERVICE\TrustedInstaller" 
icacls "%windir%\System32\services.exe" /grant:r Administrators:RX
icacls "%windir%\System32\services.exe"   

[동우]

S-1-5-20 네트워크 서비스 로 하라고 하네요 최소하 할수 있다고
S-1-2-0 로컬 계정이 털릴수 있다고 하네요.

[동우]

https://social.technet.microsoft.com/Forums/en-US/11eea587-d0e7-4bbf-8caa-074c0dcdacc4/who-is-logging-in-my-computer?forum=win10itprogeneral 정상이라고 하네요 휴.. 다행
결론적으로 저렇게 뜨는 것 자체가 정상이라고. 대충 그런

[동우]

https://cronauthority.com/ko/microsoft-%EC%9D%B4%EB%B2%A4%ED%8A%B8-id-529%EC%97%90-%EB%8C%80%ED%95%9C-%EC%86%94%EB%A3%A8%EC%85%98/

[동우]

https://min-12.tistory.com/37
advapi32.dll

[동우]

echo Advapi 해킹 의심 "*S-1-0-0" 를 등록 하면 지문인식이 안된다 "*S-1-5-7" 익명성
icacls "%windir%\System32\advapi32.dll"
takeown /F "%windir%\System32\advapi32.dll" /A
icacls "%windir%\System32\advapi32.dll" /grant Administrators:F
icacls "%windir%\System32\advapi32.dll" /setintegritylevel L
icacls "%windir%\System32\advapi32.dll" /deny "*S-1-5-32-568:F" "*S-1-5-17:F" "Guest:F" "*S-1-5-32-546:F" "*S-1-5-2:F" "*S-1-0-0:F" "*S-1-5-7:F"
icacls "%windir%\System32\advapi32.dll" /setowner "NT SERVICE\TrustedInstaller"
icacls "%windir%\System32\advapi32.dll" /grant:r Administrators:RX
icacls "%windir%\System32\adva

[동우]

http://lab.gamecodi.com/board/zboard.php?id=GAMECODILAB_QnA_etc&no=4884

[동우]

https://answers.microsoft.com/ko-kr/windows/forum/all/%ED%8A%B9%EC%88%98%EB%A1%9C%EA%B7%B8%EC%98%A8/6e4d9c48-ba4a-4ed4-98d8-3b71edc8b684
SeAssignPrimaryTokenPrivilege 이걸 관리 하라고 하네요 암호 변경 하고

https://docs.microsoft.com/ko-kr/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token
프로세스 수준 토큰 바꾸기

[동우]

특수 권한을 새 로그온에 할당했습니다.

[동우]

https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/

[동우]

https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e?gi=fa7e95dd59b2
whoami /priv