这个是误报吗?问了ai,好像挺严重,头疼
时间 操作 说明 次数2026-04-26 12:42:25 [自动阻止] 远程线程注入 防护 7 次
详细描述:
进程:C:\WINDOWS\System32\cmd.exe
动作:远程线程注入
路径:C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe (6)
拦截补充描述:{5}
防护信息: AD|2, 88|10, 10, -1||
顺着进程,查看Windows事件查看器的结果是:
审核成功 2026/4/26 12:42:39 Microsoft Windows security auditing. 4799 Security Group Management
审核成功 2026/4/26 12:42:14 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:14 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:14 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:14 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:14 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:13 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:13 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:13 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:13 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:13 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:12 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:11 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:11 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:11 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:11 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:11 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:10 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:10 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:10 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:10 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:10 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:07 Microsoft Windows security auditing. 4672 Special Logon
审核成功 2026/4/26 12:42:07 Microsoft Windows security auditing. 4627 Group Membership
审核成功 2026/4/26 12:42:07 Microsoft Windows security auditing. 4624 Logon
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4672 Special Logon
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4627 Group Membership
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4624 Logon
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:42:00 Microsoft Windows security auditing. 4798 User Account Management
审核成功 2026/4/26 12:41:59 Microsoft Windows security auditing. 4672 Special Logon
一大堆的用户名枚举。。。。。
再次查看4798进程的详细信息,- System
- Provider
[ Name]Microsoft-Windows-Security-Auditing
[ Guid]{54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4798
Version 0
Level 0
Task 13824
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime]2026-04-26T04:41:59.0664323Z
EventRecordID 946148
- Correlation
[ ActivityID]{d80adf56-d4af-0004-fdee-0ad8afd4dc01}
- Execution
[ ProcessID]1176
[ ThreadID]30252
Channel Security
Computer LAPTOP-81IV4JJO
Security
- EventData
TargetUserName Administrator
TargetDomainName LAPTOP-81IV4JJO
TargetSid S-1-5-21-1435770227-3755137970-3104784367-500
SubjectUserSid S-1-5-18
SubjectUserName LAPTOP-81IV4JJO$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
CallerProcessId 0x44fc
CallerProcessName C:\Windows\System32\svchost.exe
这个是4798显示的详细信息
用微软官方工具 Process Explorer尝试查看PID 17660 加载了哪些 DLL。
结果是一片空白。。。。
最后是按照ai的指导,输了几个命令,结果:
C:\Users\奡>fltmc
筛选器列表失败,出现错误: 0x80070005
拒绝访问。
C:\Users\奡>sc qc lfsvc
QueryServiceConfig 成功
SERVICE_NAME: lfsvc
TYPE : 20WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs -p
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Geolocation Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
C:\Users\奡>sc query lfsvc
SERVICE_NAME: lfsvc
TYPE : 30WIN32
STATE : 4RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0(0x0)
SERVICE_EXIT_CODE: 0(0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Users\奡>driverquery /v /fo csv > drivers.csv && drivers.csv
(空白无结果)
现在整个人非常头疼,有没有懂行的大佬指导一下,真的拜托了
您好,是一直拦截吗?您先用系统急救箱强力模式扫描一下,看看是否正常,如果还提示拦截的话,您加下我的问题,我帮您看下
页:
[1]