关于Qlog
Qlog日志是具有假冒功能的Windows安全工具工具,该工具可以为Windows上的安全相关事件提供特定事件日志记录功能
该工具是否存在,还可以积极开发状态 当前版本为Alpha版本。Qlog没有使用API 钩子技术,也不需要在目标系统上安装驱
动程序 Qlog 指挥使用ETW 检索遥测数据。版本的Qlog 仅支持 当前事件创建 事件 以后可以添加更多详细的事件支持Qlog
可以作为查看Windows 服务运行。但也可以在启用模式下。因此我们可以将具体的事件信息直接传输到操作运行处理。
工作机制
Qlog 可以从 ETW 读取数据 将详细的事件信息写入 Qlog 的事件记录 工具会创建并使用称为QMonitor
的新源并写入 Windows 事件日志中。
以下是Qlog的事件处理顺序:
创建ETW会话,并订阅相关核心和用户区ETW提供者;
从ETW提供程序读取事件;
重大的事件支持;
将主要的事件发生记录日志QLOG;
工具依赖&安装&使用
Qlog的运行需要在本地系统中安装并配置好.NET Framework >= 4.7.2环境。
接下来,我们需要使用以下命令项目克隆至本地:
git 克隆 https://github.com/threathunters-io/QLOG.git
接下来,我们可以使用下面的命令,以外观终端模式运行Qlog:
或者,以Windows服务的方式运行:
#安装服务
qlog.exe -i
#卸服务
qlog.exe -u
进程处理事件数据输出
- {
- "EventGuid": "68795fe8-67e7-410b-a5c0-8364746d7ffe",
- "开始时间": "2021-07-11T11:06:56.9621746+02:00",
- "QEventID": 100,
- "QType": "进程创建",
- "用户名": "TESTOS\\TESTUSER",
- "Imagefilename": "TEAMS.EXE",
- "KernelImagefilename": "TEAMS.EXE",
- "OriginalFilename": "TEAMS.EXE",
- "Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
- “PID”:21740,
- "命令行": ""C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" --type=ren
- derer --autoplay-policy=no- user-gesture-required --disable-background-timer-throttling --field-trial-han
- dle=1668,499009601563875864,12511830007210419647,131072 --enable-features=WebComponentsV0P
- rocessEnabled,CookieMuseSpauseSpameSperangeS --disableSwith-features,499009601563875864,125118
- 30007210419647,131072 =de --enable-wer --ms-teams-less-cors=522133263 --app-user-model-id=com.
- squirrel.Teams.Teams --app-path="C:\\Users\\乔克",
- “模块数”:41,
- "TTPHash": "42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
- "Imphash": "F14F00FA1D4C82B933279C1A28957252",
- "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
- "md5": "9453BC2A9CC489505320312F4E6EC21E",
- "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
- "ProcessIntegrityLevel": "无",
- “isOndisk”:真,
- “正在运行”:真,
- "Signed": "签名有效",
- "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
- “签名”:[
- {
- “主题”:“CN=微软公司,O=微软公司,L=雷德蒙德,S=华盛顿,C=美国”,
- "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corpor
- ation, L=Redmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:24:20",
- "NotAfter": "02.12.2021 22:24:20",
- "DigestAlgorithmName": "SHA256",
- "指纹": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
- “时间戳签名”:[
- {
- "主题": "CN=微软时间戳服务,OU=Thales TSS ESN:3BBD-E338-E9A1,OU=微软美国
- 运营,O=微软公司,L=雷德蒙德,S=华盛顿,C=美国",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corpora
- tion, L=Redmond, S=Washington, C=US",
- "NotBefore": "12.11.2020 19:26:02",
- "NotAfter": "11.02.2022 19:26:02",
- "DigestAlgorithmName": "SHA256",
- "指纹": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
- “时间戳”:“15.06.2021 00:39:50 +02:00”
- }
- ]
- },
- {
- “主题”:“CN=微软公司,O=微软公司,L=雷德蒙德,S=华盛顿,C=美国”,
- "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Re
- dmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:31:47",
- "NotAfter": "02.12.2021 22:31:47",
- "DigestAlgorithmName": "SHA256",
- "指纹": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
- “时间戳签名”:[
- {
- "Subject": "CN=Microsoft 时间戳服务,OU=Thales TSS ESN:F87A-E374-D7B9,OU=Microsoft Operati
- ons Puerto Rico,O=Microsoft Corporation,L=Redmond,S=Washington,C=US",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corpo
- ation, L=Redmond, S=Washington, C=US",
- "NotBefore": "14.01.2021 20:02:23",
- "NotAfter": "11.04.2022 21:02:23",
- "DigestAlgorithmName": "SHA256",
- "指纹": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
- “时间戳”:“15.06.2021 00:39:53 +02:00”
- }
- ]
- }
- ],
- “父进程”:{
- “EventGuid”:空,
- "开始时间": "2021-07-11T09:54:28.9558001+02:00",
- "QEventID": 100,
- "QType": "进程创建",
- "用户名": "TEST-OS\\TESTUSER",
- "图像文件名": "",
- "内核映像文件名": "",
- "OriginalFilename": "TEAMS.EXE",
- "Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
- “PID”:16232,
- "命令行": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe ",
- “模块数”:162,
- "TTPHash": "",
- "Imphash": "F14F00FA1D4C82B933279C1A28957252",
- "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
- "md5": "9453BC2A9CC489505320312F4E6EC21E",
- "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
- "ProcessIntegrityLevel": "中",
- “isOndisk”:真,
- “正在运行”:真,
- "Signed": "签名有效",
- "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF
- 6609C077CB3D45AEE69BF5C9CF8E11",
- “签名”:[
- {
- “主题”:“CN=微软公司,O=微软公司,L=雷德蒙德,S=华盛顿,C=美国”
- "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Cor
- poration, L=Redmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:24:20",
- "NotAfter": "02.12.2021 22:24:20",
- "DigestAlgorithmName": "SHA256",
- "指纹": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
- “时间戳签名”:[
- {
- "主题": "CN=微软时间戳服务,OU=Thales TSS ESN:3BBD-E338-E9A1,OU=微软美
- 国运营,O=微软公司,L=雷德蒙德,S=华盛顿,C=美国",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corpor
- ation, L=Redmond, S=Washington, C=US",
- "NotBefore": "12.11.2020 19:26:02",
- "NotAfter": "11.02.2022 19:26:02",
- "DigestAlgorithmName": "SHA256",
- "指纹": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
- “时间戳”:“15.06.2021 00:39:50 +02:00”
- }
- ]
- },
- {
- “主题”:“CN=微软公司,O=微软公司,L=雷德蒙德,S=华盛顿,C=美国”,
- "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corp
- oration, L=Redmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:31:47",
- "NotAfter": "02.12.2021 22:31:47",
- "DigestAlgorithmName": "SHA256",
- "指纹": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
- “时间戳签名”:[
- {
- "Subject": "CN=Microsoft 时间戳服务,OU=Thales TSS ESN:F87A-E374-D7B9,OU=Microso
- ft Operations Puerto Rico,O=Microsoft Corporation,L=Redmond,S=Washington,C=US",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corp
- oration, L=Redmond, S=Washington, C=US",
- "NotBefore": "14.01.2021 20:02:23",
- "NotAfter": "11.04.2022 21:02:23",
- "DigestAlgorithmName": "SHA256",
- "指纹": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
- “时间戳”:“15.06.2021 00:39:53 +02:00”
- }
- ]
- }
- ],
- “父进程”:null
- }
- }
|
