Все перечисленные ниже интерфейсы висят на следующих endpoints внутри процесса lsass.exe:
- pipe\lsass
- pipe\protected_storage
- LPC port protected_storage
- LPC port audit
- LPC port samss lpc
- LPC port securityevent
3 methods:
- s_SSCryptProtectData
- s_SSCryptUnprotectData
- s_SSCryptUpdateProtectedState
3 methods:
- s_SSRecoverQueryStatus
- s_SSRecoverImportRecoveryKey
- s_SSRecoverPassword
1 method:
- DsRolerGetPrimaryDomainInformation
0x15 methods:
- EfsRpcOpenFileRaw
- EfsRpcReadFileRaw
- EfsRpcWriteFileRaw
- EfsRpcCloseRaw
- EfsRpcEncryptFileSrv
- EfsRpcDecryptFileSrv
- EfsRpcQueryUsersOnFile
- EfsRpcQueryRecoveryAgents
- EfsRpcRemoveUsersFromFile
- EfsRpcAddUsersToFile
- EfsRpcSetFileEncryptionKey
- EfsRpcNotSupported
- EfsRpcFileKeyInfo
- EfsRpcDuplicateEncryptionInfoFile
- EfsUsePinForEncryptedFiles
- EfsRpcAddUsersToFileEx
- EfsRpcFileKeyInfoEx
- EfsRpcGenerateEfsStream
- EfsRpcGetEncryptedFileMetadata
- EfsRpcSetEncryptedFileMetadata
- EfsRpcFlushEfsCache
0x66 methods:
- LsarClose
- LsarDelete
- LsarEnumeratePrivileges
- LsarQuerySecurityObject
- LsarSetSecurityObject
- LsarChangePassword
- LsarOpenPolicyRPC
- LsarQueryInformationPolicy
- LsarSetInformationPolicy
- LsarSetPolicyReplicationHandle
- LsarCreateAccount
- LsarEnumerateAccounts
- LsarCreateTrustedDomain
- LsarEnumerateTrustedDomains
- LsarLookupNames
- LsarLookupSids
- LsarCreateSecret
- LsarOpenAccount
- LsarEnumeratePrivilegesAccount
- LsarAddPrivilegesToAccount
- LsarRemovePrivilegesFromAccount
- LsarGetQuotasForAccount
- EfsSsoOnReconnect_WL
- LsarGetSystemAccessAccount
- LsarSetSystemAccessAccount
- LsarOpenTrustedDomain
- LsarQueryInfoTrustedDomain
- LsarSetInformationTrustedDomain
- LsarOpenSecret
- LsarSetSecret
- LsarQuerySecret
- LsarLookupPrivilegeValue
- LsarLookupPrivilegeName
- LsarLookupPrivilegeDisplayName
- LsarDeleteObject
- LsarEnumerateAccountsWithUserRight
- LsarEnumerateAccountRights
- LsarAddAccountRights
- LsarRemoveAccountRights
- LsarQueryTrustedDomainInfo
- LsarSetTrustedDomainInfo
- LsarDeleteTrustedDomain
- LsarStorePrivateData
- LsarRetrievePrivateData
- LsarOpenPolicy2
- LsarGetUserName
- LsarQueryInformationPolicy2
- LsarSetInformationPolicy2
- LsarQueryTrustedDomainInfoByName
- LsarSetTrustedDomainInfoByName
- LsarEnumerateTrustedDomainsEx
- LsarCreateTrustedDomainEx
- LsarSetPolicyReplicationHandle
- LsarQueryDomainInformationPolicy
- LsarSetDomainInformationPolicy
- LsarOpenTrustedDomainByName
- LsaITestCall
- LsarLookupSids2
- LsarLookupNames2
- LsarCreateTrustedDomainEx2
- CredrWrite
- CredrRead
- CredrEnumerate
- CredrWriteDomainCredentials
- CredrReadDomainCredentials
- CredrDelete
- CredrGetTargetInfo
- CredrProfileLoaded
- LsarLookupNames3
- CredrGetSessionTypes
- LsarRegisterAuditEvent
- LsarGenAuditEvent
- LsarUnregisterAuditEvent
- LsarQueryForestTrustInformation
- LsarSetForestTrustInformation
- CredrRename
- LsarLookupSids3
- LsarLookupNames4
- LsarOpenPolicySce
- LsarAdtRegisterSecurityEventSource
- LsarAdtUnregisterSecurityEventSource
- LsarAdtReportSecurityEvent
- CredrFindBestCredential
- LsarSetAuditPolicy
- LsarQueryAuditPolicy
- LsarEnumerateAuditPolicy
- LsarEnumerateAuditCategories
- LsarEnumerateAuditSubCategories
- LsarLookupAuditCategoryName
- LsarLookupAuditSubCategoryName
- LsarSetAuditSecurity
- LsarQueryAuditSecurity
- CredrReadByTokenHandle
- CredrRestoreCredentials
- CredrBackupCredentials
- LsarManageSidNameMapping
- CredrProfileUnloaded
- LsarAddLanmanConnection
- LsarCancelLanmanConnection
- LsarAddDfsConnection
- LsarCancelDfsConnection
- LsarIsDfsConnectionInUse
S_LSP_PRIVATE_DATA ACE1C026-8B3F-4711-8918-F345D17F5BFF version 1.0
2 methods:
- S_RPC_LspUpdatePrivateData
- S_RPC_LspReadPrivateData
Комментариев нет:
Отправить комментарий