《2024windows安全常用排查命令集.docx》由会员分享,可在线阅读,更多相关《2024windows安全常用排查命令集.docx(8页珍藏版)》请在第壹文秘上搜索。
1、Windows常用排查命令集目录一、账号安全3二、检查异常端口进程5三、启动项检查6四、查看系统定时任务7五、查看系统服务8六、文件查看9一、账号安全queryuser查看当前登录账户C:ProgramFiles(x86)1.ogParser2.2queryuser用户名会话名ID世态空闲时间登录时间hahaconsole1运行中无2021/2/248:40IogoffID注销用户idnetuser查看用户netuserusername查看用户登录情况Iusrmgnmsc打开本地用户组描述管理计算机(域)的内置帐户系统管理的用户帐户.供来宾访问计算机或访问域的内表本地用户和组(本地)用户23蛆
2、名称全名AdministratorftaDefauItAcco.&Guest原hahaWDAGUtilit.系统为WindowsDefender应用regedit注册表查看账户,确认系统是否存在隐藏账户rrn11RtylulalMA1.ENtAMAv1.omansACCoUrnusersNameswuA9uuyAccoUnlV计算机名称类型 HKEY_C1.ASSES_ROOT瞄CKiA)0x1f8 HKEY_CURREN1.USERVHKEYi1.oCA1.MACHINE BCb(X)OOOOOO HARDWAREvSAMvSAMvDomainsvAccount1AliasesiGroups
3、VUsers000001F4OO(X)OIFS000001F7000001F8000003E9vNamesAdministratorDefauItAccountGuesthahaWDAGUtiIityAccountBuiltin1.dstSkuUpgradeRXACT SECURITY SOFTWARE SYSTEM HKEY_USERS HKEY_CURRENT_CONFIG利用1.ogParsenexe查看event日志,查询用户登录情况1.ogParsenexe-i:EVTSE1.ECTTimeGenerated,EXTRACTJOKEN(StringS,5,)ASUSERNAME,EX
4、TRACTJOKEN(StringsbT)ASSERVICE_NAME,EXTRAeTjOKEN(StringS5T)ASCIientJPFROMC:UsershahaDesktopSecurity.evtxWHEREEventlD=4624(AProgramFiles(x86)1.ogParser2.21.ogParser.exe-i:EVTSE1.ECTTimeGenerated,EXTRACT_TOKEX(Strings,5,EiEXTRACTTOKEN(Strings,5/)FROMC:UsershahaDesktopSecurity.evt,WHEREEventID=4624*Tim
5、eGeneratedUSERXAMEEXTRACT_TOKEN(Strings,5,)2020-10-1411:05:55SYSTEMSYSTEM2020-10-1411:05:56SYSTEMSYSTEM2020-10-1411:05:56UMFD-OUMFD-O2020-10-1411:05:56SYSTEMSYSTEM2020-10-1411:05:561.OCA1.SERVICE1.OCA1.SERVICE2020-10-1411:05:56NETWORKSERVICENETWORKSERVICE2020-10-1411:05:56SYSTEMSYSTEM2020-10-1411:05
6、:56UMFD-IUMFD-I2020-10-1411:05:56DWM-IDWM-12020-10-1411:05:56DwM-IDWM-I1.ogParsenexe日志分析工具更多用法可参考:https:WOOyUnJs.org/drops/WindoWS%E5%AE%89%E5%85%A8%E6%97%A5%E5%BF%97%E5%88%86%E6%9E%90%E4%B9%8Blogparser%E7%AF%87.html二、检查异常端口进程查看目前连接:netstat-ano一般是查看已经成功建立的连接:netstat-anofindstrESTAB1.ISHEDC:ProgramFi
7、les(x86)1.ogParser2.2netstat-anofindstrESTAB1.ISHEDTCP127.0.0.1:443127.0.0.1:7294ESTAB1.ISHED5264TCP127.0.0.1:1080127.0.0.1:7242ESTAB1.ISHED10140TCP127.0.0.1:1080127.0.0.1:7281ESTAB1.ISHED10140TCP127.0.0.1:1080127.0.0.1:7283ESTAB1.ISHED10140TCP127.0.0.1:1080127.0.0.1:7285ESTAB1.ISHED10140TCP127.0.0.
8、1:1543127.0.0.1:8900ESTAB1.ISHED3756TCP127.0.0.1:1549127.0.0.1:1550ESTAB1.ISHED4184TCP127.0.0.1:1550127.0.0.1:1549ESTAB1.ISHED4184TCP127.0.0.1:1554127.0.0.1:8900ESTAB1.ISHED6368TCP127.0.0.1:1555127.0.0.1:8900ESTAB1.ISHED6288TCP127.0.0.1:1557127.0.0.1:8900ESTAB1.ISHED6216TCP127.0.0.1:1658127.0.0.1:16
9、59ESTAB1.ISHED4724TCP127.0.0.1:1659127.0.0.1:1658ESTAB1.ISHED4724根据Pid定位程序名称tasklistIfindstrpidC:ProgramFiles(x86)1.ogParser2.2tasklistfindstr5808”XshellCore.exe5808Console135,652KC:ProgramFileS(x86)1.ogParSer2.2运行中输入msinfo32,可打开系统信息,在“正在运行任务”中可获取进程详细信息,包括进程的开始时间、版本、大小等信息。!三三MOO保OD9,tenIRftiwi然切W体三珠
10、噢HfDfMTM络连播1正在运行任穷加馥酗CM服外程方班启动我库OtEiim根据端口查看Pidb引讲线ID优小大ttHit版本大小130968wf,I2021/2/241.-dowsxplfrtx2021/2/248IoN1.447chromeEc:pr09r.mfs(x86)gcc982021/2/2488043IX,Svchostexe没有结科82021/2/24HWOsoftedgeex.CvMndOW5sysnappsmic.82002021/2/241_11.0.18-15.12smartscreen.execHdowssysertMSQ4A1-AAA1tAInetstat-anof
11、indstr8080C:ProgramFiles(x86)1.ogParser2.2netstat-anofindstr*8080*TCP172.16.222.193:160258.251.100.102:8080ESTAB1.ISHED9932C:ProgramFiles(x86)1.ogParSer2.2利用wmic查看进程执行时的命令Wmicprocesswherename=irefox.exe,getnamezCaptionzexecutablepathzCommand1.inezprocessid,ParentProcessld/value:ProgramFiles(x86)1.og
12、Parser2.2三三icprocesswherename=*irefox.exe,getname,Caption9executablepath,Command1.ineprocessidvParentProcessId/valueCaption=irefox.exeCommand1.ine=*E:Progra三FilesXMozillaFirefoxXirefox.exe*ExecutablePatheEzXProgramFilesMozillaFirefoxirefox.exeXame=irefox.exeParentProcessId=7568Processld2040Wmicprocesswhereprocessid=2040,getname,Caption,executablepath,Command1.inezprocessid,ParentProcessId/valueProgramFiles(x8
