Windows Registry를 완벽하게 분석하기 위해서는 필요한 파일은 아래와 같다.
- Security
- default
- SAM
- Software
- System
- NTUSER.DAT
문제는 수집 시 서버의 정보를 노출하기 꺼려하는 기업들은 조사관이 원하는 계정의 레지스트리 정보만(NTUSER.DAT)을 건네준다. 이 상황에서 사용자의 그룹정보를 확인하려면 어떻게해야할까?
연구실의 레지스트리 분석도구(RegAn)을 통해 NTUSER.DAT를 올려서 확인하였다.
위치: “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership”
아 래는 저 SID 중 잘 알려진 SID에 대한 정보이다.
SID란?
A security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.
This information is useful for troubleshooting issues involving security. It is also useful for potential display problems that may be seen in the ACL editor. A SID may be displayed in the ACL editor instead of the user or group name.
Well-known Security identifier
쉽게 볼려면 콘솔(Console)에서 “gpresult”명령으로도 확인할 수 있다.
매칭 결과
| SID | Name | Description |
| S-5-21-Domain Name-513 | None | An identifier authority. |
| S-1-1-0 | Everyone | A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. |
| S-1-5-32-544 | BUILTIN\Administrators | A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. |
| S-1-5-32-545 | BUILTIN\Users | A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. |
| S-1-5-4 | NT AUTHORITY\INTERACTIVE | A group that includes all users that have logged on interactively. Membership is controlled by the operating system. |
| S-1-5-11 | NT AUTHORITY\Authenticated Users | A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. |
| S-1-2-0 | LOCAL | An identifier authority. |
실제로 필자가 조사했던 건의 경우에도 고객사에서 NTUSER.DAT만 제공하였고 악성행위를 한 계정이 guest임에 Administrator그룹임을 판단할 필요성이 있었는데. 이런 방법을 통해 쉽게 확인할 수 있었다 :)
최근 덧글