ÏîÄ¿×÷Õߣºi11us0ry

ÏîÄ¿µØµã£ºhttps://github.com/i11us0ry/winlog

Ò»¡¢¹¤¾ßÏÈÈÝ

winlogÒ»¿î»ùÓÚgoµÄwindowsÐÅÏ¢ÍøÂ繤¾ß£¬£¬£¬£¬Ö÷ÒªÍøÂçÄ¿µÄ×°±¸rdp¶Ë¿ÚµÇ¼¡¢mstscÔ¶³ÌÅþÁ¬¼Í¼¡¢mstscÃÜÂëºÍÇå¾²ÊÂÎñÖС£¡£¡£¡£

¶þ¡¢×°ÖÃÓëʹÓÃ

1¡¢»ñÈ¡ÍâµØRDP¶Ë¿Ú£º

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

2¡¢»ñÈ¡Ä¿½ñÓû§mstscÔ¶³ÌÅþÁ¬¼Í¼£¬£¬£¬£¬°üÀ¨host¡¢port¡¢loginName

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\DefaultHKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers

3¡¢»ñÈ¡Ä¿½ñЧÀÍÆ÷Çå¾²ÈÕÖ¾4624¡¢4625ÊÂÎñ

Advapi32.dll --> ReadEventLogW --> Security --> 4624¡¢4625

4¡¢×¥È¡ÃÜÂë

ÈôÊÇÓû§Ê¹ÓÃmstsc¾ÙÐÐÔ¶³ÌÅþÁ¬Ê±Ñ¡ÔñÁ˱£´æƾ֤£¬£¬£¬£¬Ôò¿ÉÒÔŲÓÃmimikatzץȡÓû§±£´æµÄÃÜÂë

5¡¢Ê¹ÓÃʱִÐÐexe£¬£¬£¬£¬ÈôÊÇÐèÒª»ñÈ¡ÃÜÂëÐèÒªÒ»ÆðÉÏ´«mimikatz£¬£¬£¬£¬²¢Ê¹ÓÃ-pÖ¸¶¨mimikatz£¬£¬£¬£¬Â·¾¶ÈçÏ£º

Èý¡¢ÏÂÔصص㣺

ͨ¹ýÏîÄ¿µØµãÏÂÔØ