windows-server-2008-r2 – 如何在重命名审核日志中确定新文件名
发布时间:2020-12-14 00:02:41 所属栏目:Windows 来源:网络整理
导读:[ Windows 2008 R2文件系统审核] 当我删除文件时,会出现两条事件日志审核消息:4663表示请求删除文件,4660表示确认删除. Thay可以通过属性Handler加入. 当我重命名文件时,4663表示创建新文件(但只有文件夹路径,没有文件名) 当我将文件从一个文件夹移动到另一
|
[
Windows 2008 R2文件系统审核]
当我删除文件时,会出现两条事件日志审核消息:4663表示请求删除文件,4660表示确认删除. Thay可以通过属性Handler加入. 当我重命名文件时,4663表示创建新文件(但只有文件夹路径,没有文件名) 当我将文件从一个文件夹移动到另一个文件夹时,存在与重命名相同的图片(因为移动实际上是重命名,OK) 创建新文件时,不会显示任何事件. 所以,问题: 我的AuditPol.EXE导出(DACL和SACL): Category/Subcategory Setting
System
Security System Extension Failure
System Integrity Failure
IPsec Driver Failure
Other System Events Failure
Security State Change Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System Success
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking
Process Termination Failure
DPAPI Activity Failure
RPC Events Failure
Process Creation Failure
Policy Change
Audit Policy Change Failure
Authentication Policy Change Failure
Authorization Policy Change Failure
MPSSVC Rule-Level Policy Change Failure
Filtering Platform Policy Change Failure
Other Policy Change Events Failure
Account Management
User Account Management Failure
Computer Account Management Failure
Security Group Management Failure
Distribution Group Management Failure
Application Group Management Failure
Other Account Management Events Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
Entry: 1
Resource Type: File
User: CONTOSODomain Users
Flags: Success
Accesses:
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_DELETE_CHILD
DELETE
The command was successfully executed.
`
这是一个复杂的答案.当我收集相关链接(包括在审计系统中很难可靠地完成的原因1)时,试试这个:
使用SysMon并从EventID 2转出. 相关unanswered question. 1他们都归结为CreateFile()API的行为,它可以接收的不同参数,从哪里,挂钩,架构以及消费者在获得它之后对句柄做了什么.检测对创建的文件时间的更改应该摆脱所有这些. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
相关内容
- windows-server-2003 – 确定谁以管理员权限运行?
- win32上的python:如何获得绝对时间/ CPU周期数
- windows-server-2003 – 完全格式化服务器以便在易趣上销售
- winforms – 如何检查单选按钮是否以Windows窗体形式检查
- windows-8 – 如何在Windows 8.1(IE11和Modern UI)上调试PA
- Windows 7:通过不同的接口路由单个IP(wlan)
- Windows-8 – WinRT / Win8 Metro中的XAML基元
- 增加windows中python的可用内存
- windows – 如何知道计算机何时被ping?
- 当驱动器作为“通用”设备呈现时,如何监控Windows中的SSD磨