Qlog：一款功能強大的Windows安全日志工具

Qlog是一款功能強大的Windows安全日志工具，該工具可以為Windows操作系統上的安全相關(guān)事件提供豐富的事件日志記錄功能。

關(guān)于

Qlog是一款功能強大的Windows安全日志工具，該工具可以為Windows操作系統上的安全相關(guān)事件提供豐富的事件日志記錄功能。該工具目前仍處于積極開(kāi)發(fā)狀態(tài)，當前版本為Alpha版本。Qlog沒(méi)有使用API鉤子技術(shù)，也不需要在目標系統上安裝驅動(dòng)程序，Qlog指揮使用ETW檢索遙測數據。當前版本的Qlog僅支持“進(jìn)程創(chuàng )建”事件，之后還會(huì )添加更多豐富的事件支持。Qlog可以看作為Windows服務(wù)運行，但也可以在控制臺模式下運行，因此我們可以將豐富的事件信息直接傳輸到控制臺進(jìn)行處理。

工作機制

Qlog可以從ETW讀取數據，并將豐富的事件信息寫(xiě)入Qlog的事件通道，工具將會(huì )創(chuàng )建并使用名為“QMonitor”的新事件源，并寫(xiě)入Windows事件日志中。

以下是Qlog的事件處理順序：

• 創(chuàng )建ETW會(huì )話(huà)，并訂閱相關(guān)內核和用戶(hù)區ETW Provider;
• 從ETW提供程序讀取事件;
• 豐富的事件支持;
• 將豐富的事件寫(xiě)入事件日志通道QLOG;

工具依賴(lài)&安裝&使用

Qlog的運行需要在本地系統中安裝并配置好.NET Framework >= 4.7.2環(huán)境。

接下來(lái)，我們需要使用下列命令將該項目克隆至本地：

1. gitclonehttps://github.com/threathunters-io/QLOG.git

接下來(lái)，我們可以使用下列命令以交互式終端模式運行Qlog：

1. qlog.exe

或者，以Windows服務(wù)的方式運行：

1. #安裝服務(wù)
2.  
3. qlog.exe-i
4.  
5. #卸載服務(wù)
6.  
7. qlog.exe-u

進(jìn)程處理事件數據輸出

1. {
2.  
3. "EventGuid":"68795fe8-67e7-410b-a5c0-8364746d7ffe",
4.  
5. "StartTime":"2021-07-11T11:06:56.9621746+02:00",
6.  
7. "QEventID":100,
8.  
9. "QType":"ProcessCreate",
10.  
11. "Username":"TESTOS\\TESTUSER",
12.  
13. "Imagefilename":"TEAMS.EXE",
14.  
15. "KernelImagefilename":"TEAMS.EXE",
16.  
17. "OriginalFilename":"TEAMS.EXE",
18.  
19. "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
20.  
21. "PID":21740,
22.  
23. "Commandline":"\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\"--type=renderer--autoplay-policy=no-user-gesture-required--disable-background-timer-throttling--field-trial-handle=1668,499009601563875864,12511830007210419647,131072--enable-features=WebComponentsV0Enabled--disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess--lang=de--enable-wer--ms-teams-less-cors=522133263--app-user-model-id=com.squirrel.Teams.Teams--app-path=\"C:\\Users\\jocke",
24.  
25. "Modulecount":41,
26.  
27. "TTPHash":"42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
28.  
29. "Imphash":"F14F00FA1D4C82B933279C1A28957252",
30.  
31. "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
32.  
33. "md5":"9453BC2A9CC489505320312F4E6EC21E",
34.  
35. "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
36.  
37. "ProcessIntegrityLevel":"None",
38.  
39. "isOndisk":true,
40.  
41. "isRunning":true,
42.  
43. "Signed":"Signaturevalid",
44.  
45. "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
46.  
47. "Signatures":[
48.  
49. {
50.  
51. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
52.  
53. "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
54.  
55. "NotBefore":"15.12.202022:24:20",
56.  
57. "NotAfter":"02.12.202122:24:20",
58.  
59. "DigestAlgorithmName":"SHA256",
60.  
61. "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
62.  
63. "TimestampSignatures":[
64.  
65. {
66.  
67. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
68.  
69. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
70.  
71. "NotBefore":"12.11.202019:26:02",
72.  
73. "NotAfter":"11.02.202219:26:02",
74.  
75. "DigestAlgorithmName":"SHA256",
76.  
77. "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
78.  
79. "Timestamp":"15.06.202100:39:50+02:00"
80.  
81. }
82.  
83. ]
84.  
85. },
86.  
87. {
88.  
89. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
90.  
91. "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
92.  
93. "NotBefore":"15.12.202022:31:47",
94.  
95. "NotAfter":"02.12.202122:31:47",
96.  
97. "DigestAlgorithmName":"SHA256",
98.  
99. "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
100.  
101. "TimestampSignatures":[
102.  
103. {
104.  
105. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
106.  
107. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
108.  
109. "NotBefore":"14.01.202120:02:23",
110.  
111. "NotAfter":"11.04.202221:02:23",
112.  
113. "DigestAlgorithmName":"SHA256",
114.  
115. "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
116.  
117. "Timestamp":"15.06.202100:39:53+02:00"
118.  
119. }
120.  
121. ]
122.  
123. }
124.  
125. ],
126.  
127. "ParentProcess":{
128.  
129. "EventGuid":null,
130.  
131. "StartTime":"2021-07-11T09:54:28.9558001+02:00",
132.  
133. "QEventID":100,
134.  
135. "QType":"ProcessCreate",
136.  
137. "Username":"TEST-OS\\TESTUSER",
138.  
139. "Imagefilename":"",
140.  
141. "KernelImagefilename":"",
142.  
143. "OriginalFilename":"TEAMS.EXE",
144.  
145. "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
146.  
147. "PID":16232,
148.  
149. "Commandline":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
150.  
151. "Modulecount":162,
152.  
153. "TTPHash":"",
154.  
155. "Imphash":"F14F00FA1D4C82B933279C1A28957252",
156.  
157. "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
158.  
159. "md5":"9453BC2A9CC489505320312F4E6EC21E",
160.  
161. "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
162.  
163. "ProcessIntegrityLevel":"Medium",
164.  
165. "isOndisk":true,
166.  
167. "isRunning":true,
168.  
169. "Signed":"Signaturevalid",
170.  
171. "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
172.  
173. "Signatures":[
174.  
175. {
176.  
177. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
178.  
179. "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
180.  
181. "NotBefore":"15.12.202022:24:20",
182.  
183. "NotAfter":"02.12.202122:24:20",
184.  
185. "DigestAlgorithmName":"SHA256",
186.  
187. "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
188.  
189. "TimestampSignatures":[
190.  
191. {
192.  
193. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
194.  
195. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
196.  
197. "NotBefore":"12.11.202019:26:02",
198.  
199. "NotAfter":"11.02.202219:26:02",
200.  
201. "DigestAlgorithmName":"SHA256",
202.  
203. "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
204.  
205. "Timestamp":"15.06.202100:39:50+02:00"
206.  
207. }
208.  
209. ]
210.  
211. },
212.  
213. {
214.  
215. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
216.  
217. "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
218.  
219. "NotBefore":"15.12.202022:31:47",
220.  
221. "NotAfter":"02.12.202122:31:47",
222.  
223. "DigestAlgorithmName":"SHA256",
224.  
225. "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
226.  
227. "TimestampSignatures":[
228.  
229. {
230.  
231. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
232.  
233. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
234.  
235. "NotBefore":"14.01.202120:02:23",
236.  
237. "NotAfter":"11.04.202221:02:23",
238.  
239. "DigestAlgorithmName":"SHA256",
240.  
241. "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
242.  
243. "Timestamp":"15.06.202100:39:53+02:00"
244.  
245. }
246.  
247. ]
248.  
249. }
250.  
251. ],
252.  
253. "ParentProcess":null
254.  
255. }
256.  
257. }

項目地址

Qlog：【】

參考資料：https://threathunters.io/

原文鏈接：https://www.freebuf.com/articles/system/290653.html