Qlog：一个强大的Windows安全日志工具

关于QlogQlog是一个强大的Windows安全日志工具，它为Windows操作系统上的安全相关事件提供了丰富的事件日志记录功能。该工具仍在积极开发中，当前版本为Alpha。QlogCommand不使用API挂钩技术并且不需要在目标系统上安装驱动程序，而是使用ETW来检索遥测数据。Qlog当前版本只支持“进程创建”事件，后续会增加更丰富的事件支持。Qlog可以看作是作为Windows服务运行的，但它也可以以控制台方式运行，所以我们可以直接将丰富的事件信息传递到控制台进行处理。工作机制Qlog可以从ETW中读取数据，将丰富的事件信息写入Qlog的事件通道中。该工具将创建并使用名为“QMonitor”的新事件源，并将其写入Windows事件日志。以下是Qlog的事件处理顺序：创建一个ETW会话，并订阅相关的kernel和userlandETWProvider；从ETW提供者读取事件；丰富的活动支持；将丰富的事件写入事件日志通道QLOG；tooldependencies&installation&使用Qlog的操作需要在本地系统安装配置。NETFramework>=4.7.2环境。接下来，我们需要使用以下命令将项目克隆到本地：gitclonehttps://github.com/threathhunters-io/QLOG.git接下来，我们可以使用以下命令以交互式终端模式运行Qlog：qlog.exe或者，运行作为Windows服务：#installserviceqlog.exe-i#uninstallserviceqlog.exe-u进程事件数据输出{"EventGuid":"68795fe8-67e7-410b-a5c0-8364746d7ffe","StartTime":"2021-07-11T11:06:56.9621746+02:00","QEventID":100,"QType":"ProcessCreate","用户名":"TESTOS\\TESTUSER","Imagefilename":"TEAMS.EXE","KernelImagefilename":"TEAMS.EXE","OriginalFilename":"TEAMS.EXE","Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe","PID":21740,"Commandline":"\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\"--type=renderer--autoplay-policy=no-user-gesture-required--disable-background-timer-throttling--field-trial-handle=1668,499009601563875864,12511830007210419647,131072--enable-features=WebComponentsV0Enabled--disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess--lang=de--enable-wer--ms-corteam3-2-ms-corteam3-2model-id=com.squirrel.Teams.Teams--app-path=\"C:\\Users\\jocke","Modulecount":41,"TTPHash":"42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F","Imphash":"F14F00FA1D4C82B933279C1A28957252","sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2","md5":"9453BC2A9CC489505320312F4E6EC21E","sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E","ProcessIntegrityLevel":"None","isOndisk":true,"isRunning":true,"Signed":"签名有效”，“AuthenticodeHash”：“B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11","Signatures":[{"Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","NotBefore":"15.12.202022:24:20","NotAfter":"02.12.202122:24:20","DigestAlgorithmName":"SHA256","Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2","TimestampSignatures":[{"Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,=WashingtonUS”，“Issuer”：“CN=MicrosoftTime-StampPCA2010，O=MicrosoftCorporation，L=Redmond，S=Washington，C=US”，“NotBefore”：“12.11.202019:26:02”，“NotAfter”：“11.02.202219:26:02","摘要算法名称":"SHA256","指纹":"E8220CE2AAD2073A9C8CD78752775E29782AABE8","时间戳":"15.06.202100:39:50+02:00"}]},{"主题":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","NotBefore":"15.12.202022:31:47","NotAfter":"02.12.202122:31:47","DigestAlgorithmName":"SHA256","Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4","TimestampSignatures":[{"Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","NotBefore";：“14.01.202120:02:23”，“NotAfter”：“11.04.202221:02:23”，“DigestAlgorithmName”：“SHA256”，“指纹”：“ED2C601EDD49DD2A934D2AB32DCACC19940161EF”，“时间戳”：“15.06.202100:39:53+02:00"}]}],"ParentProcess":{"EventGuid":null,"StartTime":"2021-07-11T09:54:28.9558001+02:00","QEventID":100"QType":"ProcessCreate","用户名":"TEST-OS\\TESTUSER","Imagefilename":"","KernelImagefilename":"","OriginalFilename":"TEAMS.EXE","Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe","PID":16232,"Commandline":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe","Modulecount":162,"TTPHash":"","Imphash":"F14F00FA1D4C82B933279C1A28957252","sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2","md5":"9453BC2A9CC489505320312F4E6EC21E","sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E","ProcessIntegrityLevel":"Medium","isOndisk":true,"isRunning":true“签名”：“签名有效”，“AuthenticodeHash”：“B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11”，“签名”：[{“主题”：“CN=MicrosoftCorporation，O=MicrosoftCorporation，LW=”，“Redmond，C=US=USIssuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","NotBefore":"15.12.202022:24:20","NotAfter":"02.12.202122:24:20","DigestAlgorithmName":"SHA256","指纹":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2","TimestampSignatures":[{"Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=华盛顿,,S=C=US","Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","NotBefore":"12.11.202019:26:02","NotAfter":"11.02.202219:26:02","DigestAlgorithmName":"SHA256","指纹":"E8220CE2AAD2073A9C8CD78752775E29782AABE8","时间戳":"15.06.202100:39:50+02:00"}]},{"Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","NotBefore":"15.12.202022:31:47","NotAfter":"02.12.202122:31:47","DigestAlgorithmName":"SHA256","Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4","TimestampSignatures":[{"Subject":"CN=MicrosoftTimeSN-StampService,OU=ThalesF87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US","NotBefore":"14.01.202120:02:23","NotAfter":"11.04.202221:02:23","DigestAlgorithmName":"SHA256","指纹":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF","时间戳":"15.06.202100:39:53+02:00"}]}],"ParentProcess":null}}项目地址Qlog：【GitHub传送门】参考：https://threathhunters.io/