1. 首页 > 服务器安全

Qlog:一款功能强大的Windows安全日志工具

关于Qlog

Qlog是一款功能强大的Windows安全日志工具,该工具可以为Windows操作系统上的安全相关事件提供丰富的事件日志记录功能。该工具目前仍处于积极开发状态,当前版本为Alpha版本。Qlog没有使用API钩子技术,也不需要在目标系统上安装驱动程序,Qlog指挥使用ETW检索遥测数据。当前版本的Qlog仅支持“进程创建”事件,之后还会添加更多丰富的事件支持。Qlog可以看作为Windows服务运行,但也可以在控制台模式下运行,因此我们可以将丰富的事件信息直接传输到控制台进行处理。

Qlog:一款功能强大的Windows安全日志工具

工作机制

Qlog可以从ETW读取数据,并将丰富的事件信息写入Qlog的事件通道,工具将会创建并使用名为“QMonitor”的新事件源,并写入Windows事件日志中。

以下是Qlog的事件处理顺序:

  • 创建ETW会话,并订阅相关内核和用户区ETW Provider;
  • 从ETW提供程序读取事件;
  • 丰富的事件支持;
  • 将丰富的事件写入事件日志通道QLOG;

工具依赖&安装&使用

Qlog的运行需要在本地系统中安装并配置好.NET Framework >= 4.7.2环境。

接下来,我们需要使用下列命令将该项目克隆至本地:

  1. gitclonehttps://github.com/threathunters-io/QLOG.git

接下来,我们可以使用下列命令以交互式终端模式运行Qlog:

  1. qlog.exe

或者,以Windows服务的方式运行:

  1. #安装服务
  2.  
  3. qlog.exe-i
  4.  
  5. #卸载服务
  6.  
  7. qlog.exe-u

进程处理事件数据输出

  1. {
  2.  
  3. "EventGuid":"68795fe8-67e7-410b-a5c0-8364746d7ffe",
  4.  
  5. "StartTime":"2021-07-11T11:06:56.9621746+02:00",
  6.  
  7. "QEventID":100,
  8.  
  9. "QType":"ProcessCreate",
  10.  
  11. "Username":"TESTOS\\TESTUSER",
  12.  
  13. "Imagefilename":"TEAMS.EXE",
  14.  
  15. "KernelImagefilename":"TEAMS.EXE",
  16.  
  17. "OriginalFilename":"TEAMS.EXE",
  18.  
  19. "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
  20.  
  21. "PID":21740,
  22.  
  23. "Commandline":"\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\"--type=renderer--autoplay-policy=no-user-gesture-required--disable-background-timer-throttling--field-trial-handle=1668,499009601563875864,12511830007210419647,131072--enable-features=WebComponentsV0Enabled--disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess--lang=de--enable-wer--ms-teams-less-cors=522133263--app-user-model-id=com.squirrel.Teams.Teams--app-path=\"C:\\Users\\jocke",
  24.  
  25. "Modulecount":41,
  26.  
  27. "TTPHash":"42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
  28.  
  29. "Imphash":"F14F00FA1D4C82B933279C1A28957252",
  30.  
  31. "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
  32.  
  33. "md5":"9453BC2A9CC489505320312F4E6EC21E",
  34.  
  35. "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
  36.  
  37. "ProcessIntegrityLevel":"None",
  38.  
  39. "isOndisk":true,
  40.  
  41. "isRunning":true,
  42.  
  43. "Signed":"Signaturevalid",
  44.  
  45. "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
  46.  
  47. "Signatures":[
  48.  
  49. {
  50.  
  51. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  52.  
  53. "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  54.  
  55. "NotBefore":"15.12.202022:24:20",
  56.  
  57. "NotAfter":"02.12.202122:24:20",
  58.  
  59. "DigestAlgorithmName":"SHA256",
  60.  
  61. "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
  62.  
  63. "TimestampSignatures":[
  64.  
  65. {
  66.  
  67. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  68.  
  69. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  70.  
  71. "NotBefore":"12.11.202019:26:02",
  72.  
  73. "NotAfter":"11.02.202219:26:02",
  74.  
  75. "DigestAlgorithmName":"SHA256",
  76.  
  77. "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
  78.  
  79. "Timestamp":"15.06.202100:39:50+02:00"
  80.  
  81. }
  82.  
  83. ]
  84.  
  85. },
  86.  
  87. {
  88.  
  89. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  90.  
  91. "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  92.  
  93. "NotBefore":"15.12.202022:31:47",
  94.  
  95. "NotAfter":"02.12.202122:31:47",
  96.  
  97. "DigestAlgorithmName":"SHA256",
  98.  
  99. "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
  100.  
  101. "TimestampSignatures":[
  102.  
  103. {
  104.  
  105. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  106.  
  107. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  108.  
  109. "NotBefore":"14.01.202120:02:23",
  110.  
  111. "NotAfter":"11.04.202221:02:23",
  112.  
  113. "DigestAlgorithmName":"SHA256",
  114.  
  115. "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
  116.  
  117. "Timestamp":"15.06.202100:39:53+02:00"
  118.  
  119. }
  120.  
  121. ]
  122.  
  123. }
  124.  
  125. ],
  126.  
  127. "ParentProcess":{
  128.  
  129. "EventGuid":null,
  130.  
  131. "StartTime":"2021-07-11T09:54:28.9558001+02:00",
  132.  
  133. "QEventID":100,
  134.  
  135. "QType":"ProcessCreate",
  136.  
  137. "Username":"TEST-OS\\TESTUSER",
  138.  
  139. "Imagefilename":"",
  140.  
  141. "KernelImagefilename":"",
  142.  
  143. "OriginalFilename":"TEAMS.EXE",
  144.  
  145. "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
  146.  
  147. "PID":16232,
  148.  
  149. "Commandline":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
  150.  
  151. "Modulecount":162,
  152.  
  153. "TTPHash":"",
  154.  
  155. "Imphash":"F14F00FA1D4C82B933279C1A28957252",
  156.  
  157. "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
  158.  
  159. "md5":"9453BC2A9CC489505320312F4E6EC21E",
  160.  
  161. "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
  162.  
  163. "ProcessIntegrityLevel":"Medium",
  164.  
  165. "isOndisk":true,
  166.  
  167. "isRunning":true,
  168.  
  169. "Signed":"Signaturevalid",
  170.  
  171. "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
  172.  
  173. "Signatures":[
  174.  
  175. {
  176.  
  177. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  178.  
  179. "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  180.  
  181. "NotBefore":"15.12.202022:24:20",
  182.  
  183. "NotAfter":"02.12.202122:24:20",
  184.  
  185. "DigestAlgorithmName":"SHA256",
  186.  
  187. "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
  188.  
  189. "TimestampSignatures":[
  190.  
  191. {
  192.  
  193. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  194.  
  195. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  196.  
  197. "NotBefore":"12.11.202019:26:02",
  198.  
  199. "NotAfter":"11.02.202219:26:02",
  200.  
  201. "DigestAlgorithmName":"SHA256",
  202.  
  203. "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
  204.  
  205. "Timestamp":"15.06.202100:39:50+02:00"
  206.  
  207. }
  208.  
  209. ]
  210.  
  211. },
  212.  
  213. {
  214.  
  215. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  216.  
  217. "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  218.  
  219. "NotBefore":"15.12.202022:31:47",
  220.  
  221. "NotAfter":"02.12.202122:31:47",
  222.  
  223. "DigestAlgorithmName":"SHA256",
  224.  
  225. "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
  226.  
  227. "TimestampSignatures":[
  228.  
  229. {
  230.  
  231. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  232.  
  233. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  234.  
  235. "NotBefore":"14.01.202120:02:23",
  236.  
  237. "NotAfter":"11.04.202221:02:23",
  238.  
  239. "DigestAlgorithmName":"SHA256",
  240.  
  241. "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
  242.  
  243. "Timestamp":"15.06.202100:39:53+02:00"
  244.  
  245. }
  246.  
  247. ]
  248.  
  249. }
  250.  
  251. ],
  252.  
  253. "ParentProcess":null
  254.  
  255. }
  256.  
  257. }

项目地址

Qlog:【GitHub传送门】

参考资料:https://threathunters.io/

原文链接:https://www.freebuf.com/articles/system/290653.html

本文由主机测评网发布,不代表主机测评网立场,转载联系作者并注明出处:https://zhuji.jb51.net/anquan/2443.html

联系我们

在线咨询:点击这里给我发消息

微信号:

工作日:8:30-17:30,节假日休息