[Forensics] Windows - 유저와 관리자 정보 가져오기
whoami
whoami /user
net users
net localgroup administrators
net group /domain [groupname]
net user /domain [username]
wmic sysaccount
wmic useraccount get name,SID
wmic useraccount listwhoami
whoami /user
whoami, whoami /user 명령어를 통해서 사용자의 이름과 SID 값을 구할 수 있다.
net users
net localgroup administrators
net user, net localgroup administrators 명령어를 통해서 사용자의 계정이 어떤 것이 있는지와, 별칭을 확인 할 수 있다
wmic sysaccountC:\Users\pental>wmic sysaccount
Caption Description Domain InstallDate LocalAccount Name SID SIDType Status
DESKTOP-4K1BO95\Everyone DESKTOP-4K1BO95\Everyone DESKTOP-4K1BO95 TRUE Everyone S-1-1-0 5 OK
DESKTOP-4K1BO95\LOCAL DESKTOP-4K1BO95\LOCAL DESKTOP-4K1BO95 TRUE LOCAL S-1-2-0 5 OK
DESKTOP-4K1BO95\CREATOR OWNER DESKTOP-4K1BO95\CREATOR OWNER DESKTOP-4K1BO95 TRUE CREATOR OWNER S-1-3-0 5 OK
DESKTOP-4K1BO95\CREATOR GROUP DESKTOP-4K1BO95\CREATOR GROUP DESKTOP-4K1BO95 TRUE CREATOR GROUP S-1-3-1 5 OK
DESKTOP-4K1BO95\CREATOR OWNER SERVER DESKTOP-4K1BO95\CREATOR OWNER SERVER DESKTOP-4K1BO95 TRUE CREATOR OWNER SERVER S-1-3-2 5 OK
DESKTOP-4K1BO95\CREATOR GROUP SERVER DESKTOP-4K1BO95\CREATOR GROUP SERVER DESKTOP-4K1BO95 TRUE CREATOR GROUP SERVER S-1-3-3 5 OK
DESKTOP-4K1BO95\OWNER RIGHTS DESKTOP-4K1BO95\OWNER RIGHTS DESKTOP-4K1BO95 TRUE OWNER RIGHTS S-1-3-4 5 OK
DESKTOP-4K1BO95\DIALUP DESKTOP-4K1BO95\DIALUP DESKTOP-4K1BO95 TRUE DIALUP S-1-5-1 5 OK
DESKTOP-4K1BO95\NETWORK DESKTOP-4K1BO95\NETWORK DESKTOP-4K1BO95 TRUE NETWORK S-1-5-2 5 OK
DESKTOP-4K1BO95\BATCH DESKTOP-4K1BO95\BATCH DESKTOP-4K1BO95 TRUE BATCH S-1-5-3 5 OK
DESKTOP-4K1BO95\INTERACTIVE DESKTOP-4K1BO95\INTERACTIVE DESKTOP-4K1BO95 TRUE INTERACTIVE S-1-5-4 5 OK
DESKTOP-4K1BO95\SERVICE DESKTOP-4K1BO95\SERVICE DESKTOP-4K1BO95 TRUE SERVICE S-1-5-6 5 OK
DESKTOP-4K1BO95\ANONYMOUS LOGON DESKTOP-4K1BO95\ANONYMOUS LOGON DESKTOP-4K1BO95 TRUE ANONYMOUS LOGON S-1-5-7 5 OK
DESKTOP-4K1BO95\PROXY DESKTOP-4K1BO95\PROXY DESKTOP-4K1BO95 TRUE PROXY S-1-5-8 5 OK
DESKTOP-4K1BO95\SYSTEM DESKTOP-4K1BO95\SYSTEM DESKTOP-4K1BO95 TRUE SYSTEM S-1-5-18 5 OK
DESKTOP-4K1BO95\ENTERPRISE DOMAIN CONTROLLERS DESKTOP-4K1BO95\ENTERPRISE DOMAIN CONTROLLERS DESKTOP-4K1BO95 TRUE ENTERPRISE DOMAIN CONTROLLERS S-1-5-9 5 OK
DESKTOP-4K1BO95\SELF DESKTOP-4K1BO95\SELF DESKTOP-4K1BO95 TRUE SELF S-1-5-10 5 OK
DESKTOP-4K1BO95\Authenticated Users DESKTOP-4K1BO95\Authenticated Users DESKTOP-4K1BO95 TRUE Authenticated Users S-1-5-11 5 OK
DESKTOP-4K1BO95\RESTRICTED DESKTOP-4K1BO95\RESTRICTED DESKTOP-4K1BO95 TRUE RESTRICTED S-1-5-12 5 OK
DESKTOP-4K1BO95\TERMINAL SERVER USER DESKTOP-4K1BO95\TERMINAL SERVER USER DESKTOP-4K1BO95 TRUE TERMINAL SERVER USER S-1-5-13 5 OK
DESKTOP-4K1BO95\REMOTE INTERACTIVE LOGON DESKTOP-4K1BO95\REMOTE INTERACTIVE LOGON DESKTOP-4K1BO95 TRUE REMOTE INTERACTIVE LOGON S-1-5-14 5 OK
DESKTOP-4K1BO95\IUSR DESKTOP-4K1BO95\IUSR DESKTOP-4K1BO95 TRUE IUSR S-1-5-17 5 OK
DESKTOP-4K1BO95\LOCAL SERVICE DESKTOP-4K1BO95\LOCAL SERVICE DESKTOP-4K1BO95 TRUE LOCAL SERVICE S-1-5-19 5 OK
DESKTOP-4K1BO95\NETWORK SERVICE DESKTOP-4K1BO95\NETWORK SERVICE DESKTOP-4K1BO95 TRUE NETWORK SERVICE S-1-5-20 5 OK
DESKTOP-4K1BO95\BUILTIN DESKTOP-4K1BO95\BUILTIN DESKTOP-4K1BO95 TRUE BUILTIN S-1-5-32 3 OK
wmic sysaccount 명령어를 통해서
Caption , Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status 에 대한 정보를 확인할 수 있다.
wmic useraccount get name,SID
wmic useraccount get name,SID 명령어를 통해서 이름과 SID 값만 선별 추출 할 수있다.
wmic useraccount list
wmic useraccount list 명령어를 통해서 AccountType, Description, Disabled, Domain, FullName, InstallDate, LocalAccount, Lockout, Name, PasswordChangeable, PasswordExpires, PasswordRequired, SID, SIDType, Status 의 값들을 파악할 수 있다.
추가적인 문의나 오탈자는 pental@kakao.com 을 통해서 메일로 보내주시면 감사하겠습니다.
'Forensics > Digital Forensics Information' 카테고리의 다른 글
| [Forensics] Windows - Pagefile Information (0) | 2020.03.27 |
|---|---|
| [Forensics] Windows - 방화벽 정보 (0) | 2020.03.27 |
| [Forensics] Windows - 시스템 정보 가져오기 (0) | 2020.03.26 |
| [Forensics] Windows - 로그인 정보 (0) | 2020.03.26 |
| [Forensics] Windows Registry - USB 연결 흔적 (2) | 2020.03.26 |