Windows 平安描述符审计要领探讨:检察事宜日记平安性 | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

Windows 平安描述符审计要领探讨:检察事宜日记平安性

申博_安全防护 申博 39次浏览 未收录 0个评论

申搏会员开户

你的暑假修炼法则:游戏,游戏还是游戏。别人的暑假修炼法则:游戏,收益还是收益。因为别人在使用申搏会员开户呀,这是一个来自菲律宾申博的大型娱乐网站,合法正规,各种联机电子游戏,福利好礼相送不断,金币到账快,收益高。解决你的暑假时间,就来申博开户吧,简单快捷,推荐给朋友一起试试吧!

,

在取得对体系的接见权限后,关于还没有提拔特权的进击者,体系会授与什么级别的接见权限呢?

与其在主机上举行实验,终究被体系提醒谢绝接见,并在测试历程当中会发生喧闹的日记,不如挑选一个更好的战略,那就是起首相识 Windows 授与非特权用户的权限。

在 Windows 中,险些一切的接见权限都由平安描述符掌握。 本文的目的就是竖立一种审计要领,用于暴露由平安描述符毛病设置的潜伏风险。 在竖立要领以后,我们将把它运用到一个现实的用例中: 在Windows 事宜日记中,哪些潜伏的可滥用接见权限被授与给了无特权组? 为了回覆这些题目,我们应当定义以下两点:

· 什么是毛病设置?

· 什么是“可滥用的”接见权限?

在回覆这些题目之前,让我们起首竖立猎取平安描述符的要领。

本博文的目的受众: 任何已熟习平安描述符、接见掌握列表和 SACL 的人都愿望情势化他们的自动化审计要领。 关于那些不熟习这些观点的读者可以浏览下文中的参考资料章节中的资本。

猎取平安描述符

尽人皆知,像文件、目次和注册表项如许的东西可以经由过程平安描述符举行平安庇护,然则我们怎样肯定一切的平安庇护项呢? 关于初学者来讲,内核以为许多东西是“可庇护的” ,我们将这些东西称为可庇护对象。 有几种要领可以罗列平安对象范例,但我个人以为最简朴的要领是运用 James Forshaw 的 NtObjectManager PowerShell 模块中的 Get-NtType cmdlet。 在没有任何参数的状况下运转 Get-NtType 会在我的 Windows 10主机上返回以下平安对象:

ActivationObject, ActivityReference, Adapter, ALPC Port, Callback, Composition, Controller, CoreMessaging, CoverageSampler, DebugObject, Desktop, Device, Directory, DmaAdapter, Driver, DxgkCompositionObject, DxgkCurrentDxgProcessObject, DxgkDisplayManagerObject, DxgkSharedBundleObject, DxgkSharedKeyedMutexObject, DxgkSharedProtectedSessionObject, DxgkSharedResource, DxgkSharedSwapChainObject, DxgkSharedSyncObject, EnergyTracker, EtwConsumer, EtwRegistration, EtwSessionDemuxEntry, Event, File, FilterCommunicationPort, FilterConnectionPort, IoCompletion, IoCompletionReserve, IRTimer, Job, Key, KeyedEvent, Mutant, NdisCmState, Partition, PcwObject, PowerRequest, Process, Profile, PsSiloContextNonPaged, PsSiloContextPaged, RawInputManager, RegistryTransaction, Section, Semaphore, Session, SymbolicLink, Thread, Timer, TmEn, TmRm, TmTm, TmTx, Token, TpWorkerFactory, Type, UserApcReserve, VRegConfigurationContext, WaitCompletionPacket, WindowStation, WmiGuid

但是,返回的平安对象好像都与我们的特定用例(事宜日记)无关。 因而,题目依旧存在,事宜日记平安吗? 直观来讲,微软必需斟酌这方面的平安性,比方,无特权的用户没法检察或消灭 平安事宜日记。 此时此刻,最先谷歌搜刮多是明智之举。 在搜刮“事宜日记平安描述符”时,涌现了以下与之相干的文章:

· Eventlog Key

在这篇文章中,作者援用了经由过程“ CustomSD”注册表值设置自定义平安描述符的功用。而且作者还援用了“Isolation”注册表值文档中的默许平安权限。

既然我们晓得可以将平安描述符运用于事宜日记,那末我们怎样检索它们呢? 荣幸的是,当你在 PowerShell 挪用 Get-WinEvent -ListLog 时,它将为每一个事宜日记返回一个 EventLogConfiguration 对象,该对象包含 SecurityDescriptor  属性。

> Get-WinEvent -ListLog Security | Select -ExpandProperty SecurityDescriptor

O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)

作为参考,上面的字符串是一个 SDDL 字符串,这是一种轻易示意平安描述符的要领。 像 ConvertFrom-SddlString 如许的东西关于明白它们异常有效。

作为一个喜好相识底层 Win32 API 的人,我挑选运用 dnSpy  追踪 SecurityDescriptor 属性的完成,可以发明体系在 wevtapi.dll 中挪用了 EvtGetChannelConfigProperty 函数并指定 EvtChannelConfigAccess 罗列值。 相识挪用相干 Win32 API 函数的 DLL 也是有代价的,因为它指向了 Windows SDK 中的各个头文件(在本例中为 winevt.h) ,这些头文件一般会供应 MSDN 文档之外的有代价的信息。

如今,假如我们要审计事宜日记平安描述符,我们须要晓得体系对它们运用了什么接见权限。

肯定相干的接见权限

关于事宜日记接见掌握条目,我们须要明白接见权限掩码的四个部份:

· 特定于对象的接见权限——特定于平安对象的权限,在本例中为事宜日记。

· 规范接见权限 ——适用于平安描述符自身的权限。

· 通用接见权限 ——与规范的和特定的对象权限相对应的权限。

· SACL 接见权限 —— 掌握日记纪录和对对象授与或谢绝接见的权限。

至于特定对象的接见权限,这里有申明文档。 不过,有时候接见权限会被增加或删除,但文档并不会更新。 这就是为何我更喜好相识响应的 Windows SDK 头文件—— winevt.h,它有最新的对象特定的接见权限定义:

 

#define EVT_READ_ACCESS    0x1
#define EVT_WRITE_ACCESS   0x2
#define EVT_CLEAR_ACCESS   0x4
#define EVT_ALL_ACCESS     0x7

 

关于那些不熟习按位操纵的用户, EVT_ALL_ACCESS 是二进制“或”操纵EVT_READ_ACCESS | EVT_WRITE_ACCESS | EVT_CLEAR_ACCESS的效果。

如今,映照通用接见权限一般有点辣手。 通用接见权限用于映照一个或多个规范和特定于对象的接见权限。 关于“不为人知”的平安对象,要么缺少通用权限的映照申明文档,要么基础不存在,关于事宜日记,这也不破例。 因而,在没有文档或头文件供应这些信息的状况下,我们只能在代码中寻觅答案。 不过你可以要问的第一个题目是,“在什么代码里找答案? ” 我们必需用一些猜想和直觉来回覆这个题目。 我采用的要领是运用前面诠释过的“ CustomSD”关键词,我们在 dll 中搜刮一下这个关键词,因为它与事宜日记平安强相干。 一旦我找到了这个援用,那末与通用接见权限相干的代码可以就位于搜刮效果的四周。 我运用下面的 PowerShell 代码来辨认候选的 DLL 文件:

 

$EventLogAccess = ls C:\Windows\System32\*.dll | sls 'CustomSD' -Encoding unicode
$EventLogAccess.Path | Sort -Unique

 

运转效果以下:

 

C:\Windows\System32\acmigration.dll
C:\Windows\System32\aeinv.dll
C:\Windows\System32\apphelp.dll
C:\Windows\System32\appraiser.dll
C:\Windows\System32\d3d9.dll
C:\Windows\System32\drvstore.dll
C:\Windows\System32\dxdiagn.dll
C:\Windows\System32\dxgi.dll
C:\Windows\System32\generaltel.dll
C:\Windows\System32\kernel32.dll
C:\Windows\System32\opengl32.dll
C:\Windows\System32\setupapi.dll
C:\Windows\System32\vbsapi.dll
C:\Windows\System32\vfluapriv.dll
C:\Windows\System32\wevtsvc.dll

在我看来,最相干的 DLL 是 wevtsvc.DLL,即与事宜日记效劳相干联的 DLL。

在用标记将 wetsvc.dll 加载到 IDA 中时,对“ CustomSD”的一个交织援用将我带入到“ channelconfidgreader::GetChannelAccessSddl”函数。

虽然这个函数和它的交织援用没有发生任何与通用接见权限相干的东西,然则 GetDefaultSDDL 函数异常风趣,在轻微举行逆向以后,我可以看到事宜日记效劳在没有运用自定义平安描述符的状况下定义了以下平安描述符:

 

平安日记
O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)
体系日记
O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
运用程序日记
O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

这些与“Isolation”注册表值的文档有些对应,但不完整雷同。 这是另一个不能依靠相干申明文档的例子,纵然你想要一个准确的效果。 如今我们已有了缭绕默许事宜日记平安描述符的高低文,这将很快成为诠释为何这么多事宜日记运用了雷同的平安描述符的相干内容。 回到通用接见权限,只管题目很庞杂。

在查找 wevtsvc.dll 二进制文件时,我有时发清楚明了对内部函数 EvtCheckAccess 中的 AccessCheck  函数的挪用:

Windows 平安描述符审计要领探讨:检察事宜日记平安性

在看到这个挪用并参考文档后,我可以看到这个函数是用于搜检任何可以支撑运用平安描述符的对象的接见。 它还须要一个 GenericMapping 参数。 在这类状况下,wevtsvc.dll 供应了一个由 GENERIC_MAPPING  构造构成的必需须要的全局变量 AccessCheck。 在 IDA 中,显现的内容以下:

Windows 平安描述符审计要领探讨:检察事宜日记平安性

 

现将其翻译以下:

· GENERIC_READ 映照到EVT_READ_ACCESS

· GENERIC_WRITE 映照到EVT_WRITE_ACCESS

· GENERIC_EXECUTE 没有映照到任何特定于对象的接见权限

· GENERIC_ALL 映照到EVT_ALL_ACCESS

这就对了,如今你就可以在网上找到相干的文档了。

如今,我们就已具有了缭绕审计事宜日记平安描述符构建自动化所需的一切组件。

滥用接见权限的斟酌

罗列目的平安对象所支撑的一切接见权限的事情完成后,你就可以最先斟酌每一个接见权限对没有实行特权升级的进击者有哪些优点。 经由斟酌后,我提出了对每一个事宜日记接见权限的影响,以下:

特定对象接见权限的寄义:

· EVT_READ_ACCESS: 授与用户或组读取特定事宜日记中的事宜的才能。 假如事宜日记有可以存储敏感信息,那末就有可以被滥用。 另外,大多数事宜日记都有从任何历程的高低文中写入的事宜,因而,进击者就有时机从非特权用户的高低文中读取特权历程写入的事宜日记。

· EVT_WRITE_ACCESS: 授与用户或组将事宜写入特定事宜日记的才能。 经由过程运用事宜日记的写操纵 API,进击者就可以生成假的事宜日记纪录,这可以会给人一种“优越的”假象。 它们还可以斟酌在歹意的实行操纵以后向事宜日记中注入一般的日记纪录,致使进击者现实实行的歹意操纵的高低文日记转动并丧失。 进击者还可以挑选将数据写入事宜日记,作为一种不受平安产品断绝查杀的原始数据存储机制。

· EVT_CLEAR_ACCESS: 授与用户或组消灭特定事宜日记的才能。 非特权用户永久不该当被授与这类权限。 然则,有个减缓检测的控件是体系事宜日记(泉源: EventLog)中的 ID 104 事宜,这个事宜指导了什么时候消灭特定的事宜日记。

规范接见权限的寄义:

· WRITE_DAC: 授与用户或组从自立 ACL (DACL)中增加 / 删除 / 修正接见掌握项的才能。 事宜日记的现实寄义是许可进击者在非特权高低文中实行授与进击者本身对特定事宜日记的读、写 或消灭接见权操纵。 它们还可以删除他们想要删除的任何其他用户或组的接见权限,比方,让其他用户没法读取事宜日记。

· WRITE_OWNER: 许可用户 或 组具有平安描述符的一切权。 此时用户或 组具有完整的掌握权限,但现实的进击场景是将对象的一切权分派给一个无特权的进击者,然后修正 DACL 以顺应进击者的须要。

本文不盘算详实列出一切进击者可以操纵授与的接见权限。 进击者滥用授与的接见权限的水平取决于以下要素:

· 进击者掌握的特定对象

· 进击者的详细目的

· 进击者的创造力

平安描述符的审计要领

关于示意平安描述符审计的体式格局,我更喜好的是对许可接见的用户 或 组的主体的接见权限举行分组。 比方,我迥殊想晓得“ NT AUTHORITY\Authenticated Users”组(一个无特权的组)被授与了哪些事宜日记接见权限。 下面是我编写的 PowerShell 代码:

让我们运用 PowerShell 看看受权的接见权限:

警惕Medusalocker勒索变种攻击企业,中毒被勒索1比特币

一、概述 腾讯安全御见威胁情报中心监测到,Medusalocker勒索病毒在国内有部分感染,该病毒出现于2019年10月,已知该病毒主要利用钓鱼欺诈邮件及垃圾邮件传播。该病毒早期版本加密文件完成后添加扩展后缀.encrypted,最新传播病毒版本加密文件后添加.ReadTheInstructions扩展后缀。由于病毒使用了RSA+AES方式对文件进行加密,在未得到作者手中的RSA私钥时,暂无解

Windows 平安描述符审计要领探讨:检察事宜日记平安性

在搜检了每一个对象以后,我发明体系对“ NT AUTHORITY\INTERACTIVE”组授与的事宜日记读写接见权限的数目最多:

> $PGrouping['NT AUTHORITY\INTERACTIVE'].LogFileRead.Count 415

如今,从进击和研讨的角度来看,将由你来肯定哪些事宜日记关于以“NT AUTHORITY\INTERACTIVE”身份运转的非特权进击者具有特别代价——即任何授与交互式登录令牌的用户。 比方,假如一个防御者正在捕捉 PowerShell 剧本块日记,一个非特权用户已具有了读取一切 PowerShell 剧本内容的权限,包含在特权高低文中纪录的内容,个中可以包含纯文本凭据。

末了,值得一提的是,因为事宜日记的自定义平安描述符是作为注册表值运用的,因而你还须要确保与审计相干的注册表项的平安性,并确保非特权用户没法将本身的自定义平安描述符写入注册表。

合理化默许的平安描述符

基于我们之前对默许的平安描述符的研讨效果,我还没有评价非特权用户具有读取大多数事宜日记的才能所带来的风险,或许这最少可以诠释为何这么多日记被授与了他们所具有的接见权限。 下面的代码用于列出一切运用了默许的“Application”断绝平安性的事宜日记:

 

> $ApplicationEventLogsDefaultSDDL = 'O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)'
> Get-WinEvent -ListLog * | Where-Object { $_.SecurityDescriptor -eq $ApplicationEventLogsDefaultSDDL }

正如预期的那样,输出的运用程序事宜日记中涌现了险些一切的事宜日记。 相识了这些信息,无论是作为微软照样作为一个防御者,对那些被看做敏感的事宜日记运用我们定制的、限制性更强的平安描述符多是明智之举,比方“ Microsoft-Windows-PowerShell/Operational”日记。

对平安描述符 SACL 的研讨

在我审计事宜日记平安描述符的历程当中,没有任何文档表明事宜日记支撑 SACL。 荣幸的是,在内部函数 EvtCheckAccess 中有两个相干的代码片断: GetSecurityDescriptorSacl 和 AccessCheckAndAuditAlarm。

Windows 平安描述符审计要领探讨:检察事宜日记平安性

如今,既然晓得了这里存在处置惩罚 SACL 的代码,那末我们就可以假定 SACL 是受支撑的。 此时,我可以尝试将带有 SACL 的自定义平安描述符运用于事宜日记,然则我很想先弄清楚“Channel”参数指向了什么。 厥后,我发明这个参数指向的是以下注册表项:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\Security\ObjectNames

Windows 平安描述符审计要领探讨:检察事宜日记平安性

所以看起来这些都是支撑 SACL 日记纪录的对象范例! 我还肯定,这些 DWORD 值指的是 msobjs.dll 中的音讯表索引,事宜日记在纪录相干 SACL 接见权限时从中提取这些索引。 我写了一个大略的剧本来提取这些值。 附录 B 中列出了一切受支撑的可庇护对象的转储音讯字符串。比方,我提取出了以下与“ Channel”对象范例相干的音讯字符串:

 

Channel read message
Channel write message
Channel query information
Channel set information
Undefined Access (no effect) Bit 4
Undefined Access (no effect) Bit 5
Undefined Access (no effect) Bit 6
Undefined Access (no effect) Bit 7
Undefined Access (no effect) Bit 8
Undefined Access (no effect) Bit 9
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 15

 

这些字符串应当也是有什么寄义的,因为没有音讯的1-3位,特定于对象的接见权限只能到达7(EVT_ALL_ACCESS) ,这是 111 的二进制情势,长度是三位。 然则,依据这些音讯,并不能完整弄清楚哪些接见权限对应于“ Channel query information”和“ Channel set information”。 不论怎样,最少如今有了这些学问,你就可以晓得可以纪录哪些SACL接见权限了!!

总结

我愿望这篇文章可以有助于我凸起申明审计事宜日记平安描述符和任何平安对象范例的要领。 本文还应凸起申明在文件不完整或不存在的状况下举行此类审计所面对的应战。

作为另一个示例,我运用本文提出的要领来辨认%windr% 下的一切可写的子目次。

我也运用本文提出的这类要领来明白、审计和发明 ETW 供应商和跟踪会话中的毛病设置,我在2019年的 Recon 大会的演讲中提到过:

除了这些,另有许多平安对象范例值得研讨!

末了,这篇文章是由 SpecterOps  和 Palantir 协作完成的。 经由过程这类伙伴关系分派的时候资本促进了我与你们分享这一信息,我对此示意感谢!

参考资料

· 运用 SACL 检测 Windows 端点入侵行动

· 怎样设想一个用于运动目次的 DACL 后门

附录 A: NT AUTHORITY\INTERACTIVE 可读可写事宜日记

 

在撰写本文时,以下事宜日记具有运用于它们的默许“Application”断绝平安描述符,从而致使非特权的“NT AUTHORITY\INTERACTIVE”组的成员具有读写权限。由读者决议这些事宜日记可以包含或不包含有代价的或敏感的信息的水平。

授与读接见权限的事宜日记:

 

AMSI/Operational
Application
ForwardedEvents
HardwareEvents
Key Management Service
Microsoft-AppV-Client/Admin
Microsoft-AppV-Client/Operational
Microsoft-AppV-Client/Virtual Applications
Microsoft-Client-Licensing-Platform/Admin
Microsoft-User Experience Virtualization-Agent Driver/Operational
Microsoft-User Experience Virtualization-App Agent/Operational
Microsoft-User Experience Virtualization-IPC/Operational
Microsoft-User Experience Virtualization-SQM Uploader/Operational
Microsoft-Windows-AAD/Operational
Microsoft-Windows-AllJoyn/Operational
Microsoft-Windows-All-User-Install-Agent/Admin
Microsoft-Windows-AppHost/Admin
Microsoft-Windows-AppID/Operational
Microsoft-Windows-ApplicabilityEngine/Operational
Microsoft-Windows-Application Server-Applications/Admin
Microsoft-Windows-Application Server-Applications/Operational
Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience/Program-Telemetry
Microsoft-Windows-Application-Experience/Steps-Recorder
Microsoft-Windows-ApplicationResourceManagementSystem/Operational
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppLocker/Packaged app-Execution
Microsoft-Windows-AppModel-Runtime/Admin
Microsoft-Windows-AppReadiness/Admin
Microsoft-Windows-AppReadiness/Operational
Microsoft-Windows-AppXDeployment/Operational
Microsoft-Windows-AppXDeploymentServer/Operational
Microsoft-Windows-AppxPackaging/Operational
Microsoft-Windows-AssignedAccess/Admin
Microsoft-Windows-AssignedAccess/Operational
Microsoft-Windows-AssignedAccessBroker/Admin
Microsoft-Windows-AssignedAccessBroker/Operational
Microsoft-Windows-Audio/CaptureMonitor
Microsoft-Windows-Audio/GlitchDetection
Microsoft-Windows-Audio/Informational
Microsoft-Windows-Audio/Operational
Microsoft-Windows-Audio/PlaybackManager
Microsoft-Windows-Authentication User Interface/Operational
Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
Microsoft-Windows-Authentication/ProtectedUser-Client
Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
Microsoft-Windows-BackgroundTaskInfrastructure/Operational
Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
Microsoft-Windows-Backup
Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
Microsoft-Windows-Biometrics/Operational
Microsoft-Windows-BitLocker/BitLocker Management
Microsoft-Windows-BitLocker/BitLocker Operational
Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
Microsoft-Windows-Bits-Client/Analytic
Microsoft-Windows-Bits-Client/Operational
Microsoft-Windows-Bluetooth-BthLEEnum/Operational
Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
Microsoft-Windows-Bluetooth-Bthmini/Operational
Microsoft-Windows-Bluetooth-MTPEnum/Operational
Microsoft-Windows-Bluetooth-Policy/Operational
Microsoft-Windows-BranchCache/Operational
Microsoft-Windows-BranchCacheSMB/Operational
Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Microsoft-Windows-CertPoleEng/Operational
Microsoft-Windows-CloudStorageWizard/Operational
Microsoft-Windows-CloudStore/Debug
Microsoft-Windows-CloudStore/Operational
Microsoft-Windows-CodeIntegrity/Operational
Microsoft-Windows-Compat-Appraiser/Operational
Microsoft-Windows-Containers-BindFlt/Operational
Microsoft-Windows-Containers-Wcifs/Operational
Microsoft-Windows-Containers-Wcnfs/Operational
Microsoft-Windows-CoreApplication/Operational
Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
Microsoft-Windows-CorruptedFileRecovery-Client/Operational
Microsoft-Windows-CorruptedFileRecovery-Server/Operational
Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
Microsoft-Windows-Crypto-DPAPI/Debug
Microsoft-Windows-Crypto-DPAPI/Operational
Microsoft-Windows-DAL-Provider/Operational
Microsoft-Windows-DataIntegrityScan/Admin
Microsoft-Windows-DataIntegrityScan/CrashRecovery
Microsoft-Windows-DateTimeControlPanel/Operational
Microsoft-Windows-Deduplication/Diagnostic
Microsoft-Windows-Deduplication/Operational
Microsoft-Windows-Deduplication/Scrubbing
Microsoft-Windows-DeviceGuard/Operational
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
Microsoft-Windows-Devices-Background/Operational
Microsoft-Windows-DeviceSetupManager/Admin
Microsoft-Windows-DeviceSetupManager/Operational
Microsoft-Windows-DeviceSync/Operational
Microsoft-Windows-DeviceUpdateAgent/Operational
Microsoft-Windows-Dhcp-Client/Admin
Microsoft-Windows-Dhcp-Client/Operational
Microsoft-Windows-Dhcpv6-Client/Admin
Microsoft-Windows-Dhcpv6-Client/Operational
Microsoft-Windows-Diagnosis-DPS/Operational
Microsoft-Windows-Diagnosis-PCW/Operational
Microsoft-Windows-Diagnosis-PLA/Operational
Microsoft-Windows-Diagnosis-Scheduled/Operational
Microsoft-Windows-Diagnosis-Scripted/Admin
Microsoft-Windows-Diagnosis-Scripted/Operational
Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
Microsoft-Windows-Diagnostics-Networking/Operational
Microsoft-Windows-DiskDiagnostic/Operational
Microsoft-Windows-DiskDiagnosticDataCollector/Operational
Microsoft-Windows-DiskDiagnosticResolver/Operational
Microsoft-Windows-DisplayColorCalibration/Operational
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DriverFrameworks-UserMode/Operational
Microsoft-Windows-DSC/Admin
Microsoft-Windows-DSC/Operational
Microsoft-Windows-DxgKrnl-Admin
Microsoft-Windows-DxgKrnl-Operational
Microsoft-Windows-EapHost/Operational
Microsoft-Windows-EapMethods-RasChap/Operational
Microsoft-Windows-EapMethods-RasTls/Operational
Microsoft-Windows-EapMethods-Sim/Operational
Microsoft-Windows-EapMethods-Ttls/Operational
Microsoft-Windows-EDP-Application-Learning/Admin
Microsoft-Windows-EDP-Audit-Regular/Admin
Microsoft-Windows-EDP-Audit-TCB/Admin
Microsoft-Windows-Energy-Estimation-Engine/EventLog
Microsoft-Windows-ESE/Operational
Microsoft-Windows-EventCollector/Operational
Microsoft-Windows-Fault-Tolerant-Heap/Operational
Microsoft-Windows-FeatureConfiguration/Operational
Microsoft-Windows-FileHistory-Core/WHC
Microsoft-Windows-FMS/Operational
Microsoft-Windows-Folder Redirection/Operational
Microsoft-Windows-Forwarding/Operational
Microsoft-Windows-GenericRoaming/Admin
Microsoft-Windows-glcnd/Admin
Microsoft-Windows-HelloForBusiness/Operational
Microsoft-Windows-HomeGroup Control Panel/Operational
Microsoft-Windows-HomeGroup Listener Service/Operational
Microsoft-Windows-HomeGroup Provider Service/Operational
Microsoft-Windows-HostGuardianClient-Service/Admin
Microsoft-Windows-HostGuardianClient-Service/Operational
Microsoft-Windows-HostGuardianService-CA/Admin
Microsoft-Windows-HostGuardianService-CA/Operational
Microsoft-Windows-HostGuardianService-Client/Admin
Microsoft-Windows-HostGuardianService-Client/Operational
Microsoft-Windows-HotspotAuth/Operational
Microsoft-Windows-HttpService/Log
Microsoft-Windows-HttpService/Trace
Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
Microsoft-Windows-Hyper-V-VMSP-Admin
Microsoft-Windows-Hyper-V-VmSwitch-Operational
Microsoft-Windows-IdCtrls/Operational
Microsoft-Windows-IKE/Operational
Microsoft-Windows-International/Operational
Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
Microsoft-Windows-Iphlpsvc/Operational
Microsoft-Windows-IPxlatCfg/Operational
Microsoft-Windows-KdsSvc/Operational
Microsoft-Windows-Kerberos/Operational
Microsoft-Windows-Kernel-ApphelpCache/Operational
Microsoft-Windows-Kernel-Boot/Operational
Microsoft-Windows-Kernel-EventTracing/Admin
Microsoft-Windows-Kernel-IO/Operational
Microsoft-Windows-Kernel-PnP/Configuration
Microsoft-Windows-Kernel-Power/Thermal-Operational
Microsoft-Windows-Kernel-ShimEngine/Operational
Microsoft-Windows-Kernel-StoreMgr/Operational
Microsoft-Windows-Kernel-WDI/Operational
Microsoft-Windows-Kernel-WHEA/Errors
Microsoft-Windows-Kernel-WHEA/Operational
Microsoft-Windows-Known Folders API Service
Microsoft-Windows-LanguagePackSetup/Operational
Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
Microsoft-Windows-LSA/Operational
Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
Microsoft-Windows-MemoryDiagnostics-Results/Debug
Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
Microsoft-Windows-Mprddm/Operational
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-MUI/Admin
Microsoft-Windows-MUI/Operational
Microsoft-Windows-Ncasvc/Operational
Microsoft-Windows-NcdAutoSetup/Operational
Microsoft-Windows-NCSI/Operational
Microsoft-Windows-NDIS/Operational
Microsoft-Windows-NdisImPlatform/Operational
Microsoft-Windows-NetworkLocationWizard/Operational
Microsoft-Windows-NetworkProfile/Operational
Microsoft-Windows-NetworkProvisioning/Operational
Microsoft-Windows-NlaSvc/Operational
Microsoft-Windows-Ntfs/Operational
Microsoft-Windows-Ntfs/WHC
Microsoft-Windows-NTLM/Operational
Microsoft-Windows-OfflineFiles/Operational
Microsoft-Windows-OneBackup/Debug
Microsoft-Windows-OneX/Operational
Microsoft-Windows-OOBE-Machine-DUI/Operational
Microsoft-Windows-OtpCredentialProvider/Operational
Microsoft-Windows-PackageStateRoaming/Operational
Microsoft-Windows-Partition/Diagnostic
Microsoft-Windows-PerceptionRuntime/Operational
Microsoft-Windows-PerceptionSensorDataService/Operational
Microsoft-Windows-PersistentMemory-Nvdimm/Operational
Microsoft-Windows-PersistentMemory-PmemDisk/Operational
Microsoft-Windows-PersistentMemory-ScmBus/Certification
Microsoft-Windows-PersistentMemory-ScmBus/Operational
Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Microsoft-Windows-Policy/Operational
Microsoft-Windows-PowerShell/Admin
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
Microsoft-Windows-PrintBRM/Admin
Microsoft-Windows-PrintService/Admin
Microsoft-Windows-PrintService/Operational
Microsoft-Windows-PriResources-Deployment/Operational
Microsoft-Windows-Program-Compatibility-Assistant/Analytic
Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade
Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
Microsoft-Windows-Proximity-Common/Diagnostic
Microsoft-Windows-PushNotification-Platform/Admin
Microsoft-Windows-PushNotification-Platform/Operational
Microsoft-Windows-RasAgileVpn/Operational
Microsoft-Windows-ReadyBoost/Operational
Microsoft-Windows-ReadyBoostDriver/Operational
Microsoft-Windows-ReFS/Operational
Microsoft-Windows-Regsvr32/Operational
Microsoft-Windows-RemoteApp and Desktop Connections/Admin
Microsoft-Windows-RemoteApp and Desktop Connections/Operational
Microsoft-Windows-RemoteAssistance/Admin
Microsoft-Windows-RemoteAssistance/Operational
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsp/Admin
Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
Microsoft-Windows-Remotefs-Rdbss/Operational
Microsoft-Windows-Resource-Exhaustion-Detector/Operational
Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
Microsoft-Windows-RestartManager/Operational
Microsoft-Windows-RetailDemo/Admin
Microsoft-Windows-RetailDemo/Operational
Microsoft-Windows-RRAS/Operational
Microsoft-Windows-SearchUI/Operational
Microsoft-Windows-SecureAssessment/Operational
Microsoft-Windows-Security-Adminless/Operational
Microsoft-Windows-Security-Audit-Configuration-Client/Operational
Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
Microsoft-Windows-Security-IdentityListener/Operational
Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational
Microsoft-Windows-Security-Mitigations/KernelMode
Microsoft-Windows-Security-Mitigations/UserMode
Microsoft-Windows-SecurityMitigationsBroker/Admin
Microsoft-Windows-SecurityMitigationsBroker/Operational
Microsoft-Windows-Security-Netlogon/Operational
Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational
Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter
Microsoft-Windows-Security-UserConsentVerifier/Audit
Microsoft-Windows-SENSE/Operational
Microsoft-Windows-SenseIR/Operational
Microsoft-Windows-ServiceReportingApi/Debug
Microsoft-Windows-SettingSync/Debug
Microsoft-Windows-SettingSync/Operational
Microsoft-Windows-SettingSync-Azure/Debug
Microsoft-Windows-SettingSync-Azure/Operational
Microsoft-Windows-SettingSync-OneDrive/Debug
Microsoft-Windows-SettingSync-OneDrive/Operational
Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational
Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter
Microsoft-Windows-Shell-Core/ActionCenter
Microsoft-Windows-Shell-Core/AppDefaults
Microsoft-Windows-Shell-Core/LogonTasksChannel
Microsoft-Windows-Shell-Core/Operational
Microsoft-Windows-SmartCard-Audit/Authentication
Microsoft-Windows-SmartCard-DeviceEnum/Operational
Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin
Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational
Microsoft-Windows-SmartScreen/Debug
Microsoft-Windows-SMBDirect/Admin
Microsoft-Windows-SMBWitnessClient/Admin
Microsoft-Windows-SMBWitnessClient/Informational
Microsoft-Windows-StateRepository/Operational
Microsoft-Windows-Storage-ATAPort/Admin
Microsoft-Windows-Storage-ATAPort/Operational
Microsoft-Windows-Storage-ClassPnP/Admin
Microsoft-Windows-Storage-ClassPnP/Operational
Microsoft-Windows-Storage-Disk/Admin
Microsoft-Windows-Storage-Disk/Operational
Microsoft-Windows-StorageManagement/Operational
Microsoft-Windows-StorageSpaces-Driver/Diagnostic
Microsoft-Windows-StorageSpaces-Driver/Operational
Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
Microsoft-Windows-StorageSpaces-SpaceManager/Operational
Microsoft-Windows-Storage-Storport/Admin
Microsoft-Windows-Storage-Storport/Health
Microsoft-Windows-Storage-Storport/Operational
Microsoft-Windows-Storage-Tiering/Admin
Microsoft-Windows-Store/Operational
Microsoft-Windows-Storsvc/Diagnostic
Microsoft-Windows-SystemSettingsThreshold/Operational
Microsoft-Windows-TaskScheduler/Maintenance
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TCPIP/Operational
Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-Windows-TerminalServices-PnPDevices/Admin
Microsoft-Windows-TerminalServices-PnPDevices/Operational
Microsoft-Windows-TerminalServices-Printers/Admin
Microsoft-Windows-TerminalServices-Printers/Operational
Microsoft-Windows-TerminalServices-RDPClient/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
Microsoft-Windows-Time-Service/Operational
Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational
Microsoft-Windows-Troubleshooting-Recommended/Admin
Microsoft-Windows-Troubleshooting-Recommended/Operational
Microsoft-Windows-TWinUI/Operational
Microsoft-Windows-TZSync/Operational
Microsoft-Windows-TZUtil/Operational
Microsoft-Windows-UAC/Operational
Microsoft-Windows-UniversalTelemetryClient/Operational
Microsoft-Windows-User Control Panel/Operational
Microsoft-Windows-User Device Registration/Admin
Microsoft-Windows-User Profile Service/Operational
Microsoft-Windows-User-Loader/Operational
Microsoft-Windows-UserPnp/ActionCenter
Microsoft-Windows-UserPnp/DeviceInstall
Microsoft-Windows-VDRVROOT/Operational
Microsoft-Windows-VerifyHardwareSecurity/Admin
Microsoft-Windows-VerifyHardwareSecurity/Operational
Microsoft-Windows-VHDMP-Operational
Microsoft-Windows-Volume/Diagnostic
Microsoft-Windows-VolumeSnapshot-Driver/Operational
Microsoft-Windows-VPN/Operational
Microsoft-Windows-VPN-Client/Operational
Microsoft-Windows-Wcmsvc/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-GP/Operational
Microsoft-Windows-WDAG-Service/Operational
Microsoft-Windows-WebAuth/Operational
Microsoft-Windows-WebAuthN/Operational
Microsoft-Windows-WebIO-NDF/Diagnostic
Microsoft-Windows-WEPHOSTSVC/Operational
Microsoft-Windows-WER-PayloadHealth/Operational
Microsoft-Windows-WFP/Operational
Microsoft-Windows-Win32k/Operational
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender/WHC
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose
Microsoft-Windows-WindowsBackup/ActionCenter
Microsoft-Windows-WindowsColorSystem/Operational
Microsoft-Windows-WindowsSystemAssessmentTool/Operational
Microsoft-Windows-WindowsUIImmersive/Operational
Microsoft-Windows-WindowsUpdateClient/Operational
Microsoft-Windows-WinHTTP-NDF/Diagnostic
Microsoft-Windows-WinINet-Capture/Analytic
Microsoft-Windows-WinINet-Config/ProxyConfigChanged
Microsoft-Windows-Winlogon/Operational
Microsoft-Windows-WinNat/Oper
Microsoft-Windows-WinRM/Operational
Microsoft-Windows-Winsock-AFD/Operational
Microsoft-Windows-Winsock-NameResolution/Operational
Microsoft-Windows-Winsock-WS2HELP/Operational
Microsoft-Windows-Wired-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WMI-Activity/Operational
Microsoft-Windows-WMPNSS-Service/Operational
Microsoft-Windows-Wordpad/Admin
Microsoft-Windows-WorkFolders/Operational
Microsoft-Windows-WorkFolders/WHC
Microsoft-Windows-Workplace Join/Admin
Microsoft-Windows-WPD-ClassInstaller/Operational
Microsoft-Windows-WPD-CompositeClassDriver/Operational
Microsoft-Windows-WPD-MTPClassDriver/Operational
Microsoft-Windows-WWAN-SVC-Events/Operational
OpenSSH/Admin
OpenSSH/Operational
RemoteDesktopServices-RemoteFX-SessionLicensing-Admin
RemoteDesktopServices-RemoteFX-SessionLicensing-Operational
Setup
SMSApi
System
Windows PowerShell

授与写接见权限的事宜日记:

 

AMSI/Operational
Application
ForwardedEvents
HardwareEvents
Key Management Service
Microsoft-AppV-Client/Virtual Applications
Microsoft-Client-Licensing-Platform/Admin
Microsoft-User Experience Virtualization-App Agent/Operational
Microsoft-User Experience Virtualization-IPC/Operational
Microsoft-User Experience Virtualization-SQM Uploader/Operational
Microsoft-Windows-AAD/Operational
Microsoft-Windows-AllJoyn/Operational
Microsoft-Windows-All-User-Install-Agent/Admin
Microsoft-Windows-AppHost/Admin
Microsoft-Windows-ApplicabilityEngine/Operational
Microsoft-Windows-Application Server-Applications/Admin
Microsoft-Windows-Application Server-Applications/Operational
Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience/Program-Telemetry
Microsoft-Windows-Application-Experience/Steps-Recorder
Microsoft-Windows-ApplicationResourceManagementSystem/Operational
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppModel-Runtime/Admin
Microsoft-Windows-AppReadiness/Admin
Microsoft-Windows-AppReadiness/Operational
Microsoft-Windows-AppXDeployment/Operational
Microsoft-Windows-AppXDeploymentServer/Operational
Microsoft-Windows-AppxPackaging/Operational
Microsoft-Windows-AssignedAccess/Admin
Microsoft-Windows-AssignedAccess/Operational
Microsoft-Windows-AssignedAccessBroker/Admin
Microsoft-Windows-AssignedAccessBroker/Operational
Microsoft-Windows-Audio/PlaybackManager
Microsoft-Windows-Authentication User Interface/Operational
Microsoft-Windows-BackgroundTaskInfrastructure/Operational
Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
Microsoft-Windows-BitLocker/BitLocker Management
Microsoft-Windows-BitLocker/BitLocker Operational
Microsoft-Windows-Bits-Client/Analytic
Microsoft-Windows-BranchCache/Operational
Microsoft-Windows-BranchCacheSMB/Operational
Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Microsoft-Windows-CertPoleEng/Operational
Microsoft-Windows-CloudStorageWizard/Operational
Microsoft-Windows-CloudStore/Debug
Microsoft-Windows-CloudStore/Operational
Microsoft-Windows-Compat-Appraiser/Operational
Microsoft-Windows-CoreApplication/Operational
Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
Microsoft-Windows-CorruptedFileRecovery-Client/Operational
Microsoft-Windows-DAL-Provider/Operational
Microsoft-Windows-DataIntegrityScan/Admin
Microsoft-Windows-DataIntegrityScan/CrashRecovery
Microsoft-Windows-DateTimeControlPanel/Operational
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
Microsoft-Windows-Devices-Background/Operational
Microsoft-Windows-DeviceSync/Operational
Microsoft-Windows-Dhcp-Client/Admin
Microsoft-Windows-Dhcp-Client/Operational
Microsoft-Windows-Dhcpv6-Client/Admin
Microsoft-Windows-Dhcpv6-Client/Operational
Microsoft-Windows-Diagnosis-PCW/Operational
Microsoft-Windows-Diagnosis-PLA/Operational
Microsoft-Windows-Diagnosis-Scheduled/Operational
Microsoft-Windows-Diagnosis-Scripted/Admin
Microsoft-Windows-Diagnosis-Scripted/Operational
Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
Microsoft-Windows-Diagnostics-Networking/Operational
Microsoft-Windows-DiskDiagnosticResolver/Operational
Microsoft-Windows-DisplayColorCalibration/Operational
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DSC/Admin
Microsoft-Windows-DSC/Operational
Microsoft-Windows-EapHost/Operational
Microsoft-Windows-EapMethods-RasChap/Operational
Microsoft-Windows-EapMethods-RasTls/Operational
Microsoft-Windows-EapMethods-Sim/Operational
Microsoft-Windows-EapMethods-Ttls/Operational
Microsoft-Windows-EDP-Application-Learning/Admin
Microsoft-Windows-EDP-Audit-Regular/Admin
Microsoft-Windows-EDP-Audit-TCB/Admin
Microsoft-Windows-Energy-Estimation-Engine/EventLog
Microsoft-Windows-ESE/Operational
Microsoft-Windows-FeatureConfiguration/Operational
Microsoft-Windows-FileHistory-Core/WHC
Microsoft-Windows-Folder Redirection/Operational
Microsoft-Windows-Forwarding/Operational
Microsoft-Windows-GenericRoaming/Admin
Microsoft-Windows-glcnd/Admin
Microsoft-Windows-HelloForBusiness/Operational
Microsoft-Windows-HomeGroup Control Panel/Operational
Microsoft-Windows-HomeGroup Listener Service/Operational
Microsoft-Windows-HomeGroup Provider Service/Operational
Microsoft-Windows-HostGuardianClient-Service/Admin
Microsoft-Windows-HostGuardianClient-Service/Operational
Microsoft-Windows-HostGuardianService-CA/Admin
Microsoft-Windows-HostGuardianService-CA/Operational
Microsoft-Windows-HostGuardianService-Client/Admin
Microsoft-Windows-HostGuardianService-Client/Operational
Microsoft-Windows-HotspotAuth/Operational
Microsoft-Windows-HttpService/Log
Microsoft-Windows-HttpService/Trace
Microsoft-Windows-IdCtrls/Operational
Microsoft-Windows-International/Operational
Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
Microsoft-Windows-Iphlpsvc/Operational
Microsoft-Windows-IPxlatCfg/Operational
Microsoft-Windows-Kernel-ApphelpCache/Operational
Microsoft-Windows-Known Folders API Service
Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
Microsoft-Windows-Mprddm/Operational
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-Ncasvc/Operational
Microsoft-Windows-NcdAutoSetup/Operational
Microsoft-Windows-NCSI/Operational
Microsoft-Windows-NDIS/Operational
Microsoft-Windows-NetworkLocationWizard/Operational
Microsoft-Windows-NetworkProfile/Operational
Microsoft-Windows-NetworkProvisioning/Operational
Microsoft-Windows-NlaSvc/Operational
Microsoft-Windows-OfflineFiles/Operational
Microsoft-Windows-OneBackup/Debug
Microsoft-Windows-OneX/Operational
Microsoft-Windows-OOBE-Machine-DUI/Operational
Microsoft-Windows-OtpCredentialProvider/Operational
Microsoft-Windows-PackageStateRoaming/Operational
Microsoft-Windows-PerceptionRuntime/Operational
Microsoft-Windows-PerceptionSensorDataService/Operational
Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Microsoft-Windows-PowerShell/Admin
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
Microsoft-Windows-PrintBRM/Admin
Microsoft-Windows-PrintService/Admin
Microsoft-Windows-PrintService/Operational
Microsoft-Windows-PriResources-Deployment/Operational
Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
Microsoft-Windows-Proximity-Common/Diagnostic
Microsoft-Windows-PushNotification-Platform/Admin
Microsoft-Windows-PushNotification-Platform/Operational
Microsoft-Windows-RasAgileVpn/Operational
Microsoft-Windows-ReadyBoost/Operational
Microsoft-Windows-Regsvr32/Operational
Microsoft-Windows-RemoteApp and Desktop Connections/Admin
Microsoft-Windows-RemoteApp and Desktop Connections/Operational
Microsoft-Windows-RemoteAssistance/Admin
Microsoft-Windows-RemoteAssistance/Operational
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational
Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
Microsoft-Windows-Remotefs-Rdbss/Operational
Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
Microsoft-Windows-RestartManager/Operational
Microsoft-Windows-RetailDemo/Admin
Microsoft-Windows-RetailDemo/Operational
Microsoft-Windows-RRAS/Operational
Microsoft-Windows-SearchUI/Operational
Microsoft-Windows-SecureAssessment/Operational
Microsoft-Windows-Security-Audit-Configuration-Client/Operational
Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
Microsoft-Windows-Security-IdentityListener/Operational
Microsoft-Windows-Security-Mitigations/UserMode
Microsoft-Windows-SecurityMitigationsBroker/Admin
Microsoft-Windows-SecurityMitigationsBroker/Operational
Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational
Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter
Microsoft-Windows-SENSE/Operational
Microsoft-Windows-SenseIR/Operational
Microsoft-Windows-SettingSync/Debug
Microsoft-Windows-SettingSync/Operational
Microsoft-Windows-SettingSync-Azure/Debug
Microsoft-Windows-SettingSync-Azure/Operational
Microsoft-Windows-SettingSync-OneDrive/Debug
Microsoft-Windows-SettingSync-OneDrive/Operational
Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational
Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter
Microsoft-Windows-Shell-Core/ActionCenter
Microsoft-Windows-Shell-Core/AppDefaults
Microsoft-Windows-Shell-Core/LogonTasksChannel
Microsoft-Windows-Shell-Core/Operational
Microsoft-Windows-SmartCard-Audit/Authentication
Microsoft-Windows-SmartCard-DeviceEnum/Operational
Microsoft-Windows-SmartScreen/Debug
Microsoft-Windows-SMBWitnessClient/Admin
Microsoft-Windows-SMBWitnessClient/Informational
Microsoft-Windows-StateRepository/Operational
Microsoft-Windows-StorageManagement/Operational
Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
Microsoft-Windows-StorageSpaces-SpaceManager/Operational
Microsoft-Windows-Storage-Tiering/Admin
Microsoft-Windows-Store/Operational
Microsoft-Windows-SystemSettingsThreshold/Operational
Microsoft-Windows-TaskScheduler/Maintenance
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-Windows-TerminalServices-PnPDevices/Admin
Microsoft-Windows-TerminalServices-PnPDevices/Operational
Microsoft-Windows-TerminalServices-Printers/Admin
Microsoft-Windows-TerminalServices-Printers/Operational
Microsoft-Windows-TerminalServices-RDPClient/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
Microsoft-Windows-Time-Service/Operational
Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational
Microsoft-Windows-Troubleshooting-Recommended/Admin
Microsoft-Windows-Troubleshooting-Recommended/Operational
Microsoft-Windows-TWinUI/Operational
Microsoft-Windows-TZSync/Operational
Microsoft-Windows-TZUtil/Operational
Microsoft-Windows-UAC/Operational
Microsoft-Windows-UniversalTelemetryClient/Operational
Microsoft-Windows-User Control Panel/Operational
Microsoft-Windows-User Device Registration/Admin
Microsoft-Windows-User Profile Service/Operational
Microsoft-Windows-User-Loader/Operational
Microsoft-Windows-UserPnp/ActionCenter
Microsoft-Windows-UserPnp/DeviceInstall
Microsoft-Windows-VerifyHardwareSecurity/Admin
Microsoft-Windows-VerifyHardwareSecurity/Operational
Microsoft-Windows-VPN-Client/Operational
Microsoft-Windows-Wcmsvc/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-GP/Operational
Microsoft-Windows-WDAG-Service/Operational
Microsoft-Windows-WebAuth/Operational
Microsoft-Windows-WebAuthN/Operational
Microsoft-Windows-WebIO-NDF/Diagnostic
Microsoft-Windows-WEPHOSTSVC/Operational
Microsoft-Windows-WER-PayloadHealth/Operational
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose
Microsoft-Windows-WindowsColorSystem/Operational
Microsoft-Windows-WindowsSystemAssessmentTool/Operational
Microsoft-Windows-WindowsUIImmersive/Operational
Microsoft-Windows-WinHTTP-NDF/Diagnostic
Microsoft-Windows-WinINet-Capture/Analytic
Microsoft-Windows-WinINet-Config/ProxyConfigChanged
Microsoft-Windows-Winlogon/Operational
Microsoft-Windows-WinRM/Operational
Microsoft-Windows-Winsock-NameResolution/Operational
Microsoft-Windows-Wired-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WMI-Activity/Operational
Microsoft-Windows-WMPNSS-Service/Operational
Microsoft-Windows-Wordpad/Admin
Microsoft-Windows-WorkFolders/Operational
Microsoft-Windows-WorkFolders/WHC
Microsoft-Windows-Workplace Join/Admin
Microsoft-Windows-WWAN-SVC-Events/Operational
OpenSSH/Admin
OpenSSH/Operational
RemoteDesktopServices-RemoteFX-SessionLicensing-Admin
RemoteDesktopServices-RemoteFX-SessionLicensing-Operational
Setup
SMSApi
Windows PowerShell

附录 B: 支撑平安对象的 SACL 审计音讯

我在上面提到过,包含在 msobjs.dll 中的字符串可以供应一些有代价的信息,申清楚明了哪些可庇护对象支撑 SACL 审计。 我提取了一切受支撑的音讯,并依据下面列表中的 securityobject 对它们举行分组。 愿望这可以引发你在环境中运用目的 SACL 的兴致,作为补充整体检测态势的一种要领。

ALPC 端口:

 

Communicate using port
Channel:
Channel read message
Channel write message
Channel query information
Channel set information

桌面:

 

Read Objects
Create window
Create menu
Hook control
Journal (record)
Journal (playback)
Include this desktop in enumerations
Write objects
Switch to this desktop

装备:

 

Device Access Bit 0
Device Access Bit 1
Device Access Bit 2
Device Access Bit 3
Device Access Bit 4
Device Access Bit 5
Device Access Bit 6
Device Access Bit 7
Device Access Bit 8

目次:

 

Query directory
Traverse
Create object in directory
Create sub-directory

事宜:

 

Query event state
Modify event state
File, MailSlot, and NamedPipe:
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
Execute/Traverse
DeleteChild
ReadAttributes
WriteAttributes
IoCompletion:
Query State
Modify State

Job:

 

Assign process
Set Attributes
Query Attributes
Terminate Job
Set Security Attributes

Key:

 

Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Undefined Access (no effect) Bit 6
Undefined Access (no effect) Bit 7
Enable 64(or 32) bit application to open 64 bit key
Enable 64(or 32) bit application to open 32 bit key

KeyedEvent:

 

KeyedEvent Wait
KeyedEvent Wake

Mutant:

Query mutant state

Port and WaitablePort:

Communicate using port

历程:

 

Force process termination
Create new thread in process
Set process session ID
Perform virtual memory operation
Read from process memory
Write to process memory
Duplicate handle into or out of process
Create a subprocess of process
Set process quotas
Set process information
Query process information
Set process termination port

Profile:

Control profile

Section:

 

Query section state
Map section for write
Map section for read
Map section for execute
Extend size

Semaphore:

 

Query semaphore state
Modify semaphore state

标记链接:

Use symbolic link

线程:

 

Force thread termination
Suspend or resume thread
Send an alert to thread
Get thread context
Set thread context
Set thread information
Query thread information
Assign a token to the thread
Cause thread to directly impersonate another thread
Directly impersonate this thread

计时器:

 

Query timer state
Modify timer state
Token:
AssignAsPrimary
Duplicate
Impersonate
Query
QuerySource
AdjustPrivileges
AdjustGroups
AdjustDefaultDacl
AdjustSessionID

范例:

 

Create instance of object type
WindowsStation:
Enumerate desktops
Read attributes
Access Clipboard
Create desktop
Write attributes
Access global atoms
Exit windows
Unused Access Flag
Include this windowstation in enumerations
Read screen

WMI 称号空间:

 

Enable WMI Account
Execute Method
Full Write
Partial Write
Provider Write
Remote Access
Subscribe
Publis

 

本文翻译自:https://posts.specterops.io/security-descriptor-auditing-methodology-investigating-event-log-security-d64f4289965d


申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明Windows 平安描述符审计要领探讨:检察事宜日记平安性
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址