SubjectUserSid S-1-0-0 UMFD-0 UMFD-1 원격 관련 차단

[동우]

https://blueteamblog.com/18-ways-to-detect-malcious-actions-in-your-active-directory-logs-using-siem  

SeDenyNetworkLogonRight = Guest,*S-1-5-32-546,*S-1-5-96-0-1,*S-1-0-0,*S-1-5-18,*S-1-5-96-0-0
SeDenyInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-5-96-0-1,*S-1-0-0,*S-1-5-18,*S-1-5-96-0-0
SeDenyBatchLogonRight = Guest,*S-1-5-32-546,*S-1-5-96-0-1,*S-1-0-0,*S-1-5-18,*S-1-5-96-0-0
SeDenyServiceLogonRight = Guest,*S-1-5-32-546,*S-1-5-96-0-1,*S-1-0-0,*S-1-5-18,*S-1-5-96-0-0
SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-5-96-0-1,*S-1-0-0,*S-1-5-18,*S-1-5-96-0-0

최대한 막아 보지만 막을수 없다.

폰트 관련 정상이라고 하는대 이놈이 생기니 알수 없는 사용자 자격증명이 부활해버린다.

SeDenyNetworkLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7
SeDenyInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7
SeDenyBatchLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7
SeDenyServiceLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7
SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7

위에건 지나친것 같고.

*S-1-5-7 익명

[동우]

실험적인 거라

[동우]

https://github.com/defendthehoneypot/Server-GPOs/blob/master/Server%20Computer%20Security%20v1.0/%7B3E18C7F8-B3E3-4866-BBDC-F56F4F93A60C%7D/DomainSysvol/GPO/Machine/microsoft/windows%20nt/SecEdit/GptTmpl.inf
SeDenyNetworkLogonRight = Enterprise Admins,Domain Admins,DenyNetworkAccess
SeDenyBatchLogonRight = *S-1-5-32-546,Enterprise Admins,Domain Admins
SeDenyServiceLogonRight = Enterprise Admins,Domain Admins
SeDenyInteractiveLogonRight = *S-1-5-32-546,Enterprise Admins,Domain Admins
SeDenyRemoteInteractiveLogonRight = *S-1-5-113,*S-1-5-32-546,Enterprise Admins,Domain Admins

[동우]

SeDenyNetworkLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins,DenyNetworkAccess
SeDenyInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins
SeDenyBatchLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins
SeDenyServiceLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,Enterprise Admins,Domain Admins
SeDenyRemoteInteractiveLogonRight = Guest,*S-1-5-32-546,*S-1-0-0,*S-1-5-7,*S-1-5-113,Enterprise Admins,Domain Admins

[동우]

https://support.microsoft.com/ko-kr/topic/wpd-%EC%9E%A5%EC%B9%98-windows%EC%97%90-%EB%8C%80-%ED%95%9C-%EC%82%AC%EC%9A%A9%EC%9E%90-%EC%A0%95%EC%9D%98-umdf-%EB%93%9C%EB%9D%BC%EC%9D%B4%EB%B2%84%EB%A5%BC-%EC%82%AC%EC%9A%A9-%ED%95%98-%EC%97%AC-%ED%8C%8C%EC%9D%BC-%ED%95%84%ED%84%B0%EB%A7%81-%EB%B0%8F-%EC%9E%A5%EC%B9%98-%EC%9E%A0%EA%B8%88-%EA%B8%B0%EB%8A%A5%EC%9D%84-%EC%82%AC%EC%9A%A9%ED%95%A0-%EC%88%98-%EC%97%86%EC%8A%B5%EB%8B%88%EB%8B%A4-727fd1e0-56a2-3ef4-5b6a-45afa8228527
WPD 장치

[동우]

https://docs.microsoft.com/ko-kr/windows-hardware/drivers/wdf/enabling-and-disabling-interrupts-umdf