Qlog:一款功能强大的Windows安全日志工具
关于Qlog
Qlog是一款功能强大的Windows安全日志工具,该工具可以为Windows操作系统上的安全相关事件提供丰富的事件日志记录功能。该工具目前仍处于积极开发状态,当前版本为Alpha版本。Qlog没有使用API钩子技术,也不需要在目标系统上安装驱动程序,Qlog指挥使用ETW检索遥测数据。当前版本的Qlog仅支持“进程创建”事件,之后还会添加更多丰富的事件支持。Qlog可以看作为Windows服务运行,但也可以在控制台模式下运行,因此我们可以将丰富的事件信息直接传输到控制台进行处理。
网站建设哪家好,找创新互联建站!专注于网页设计、网站建设、微信开发、微信小程序开发、集团企业网站建设等服务项目。为回馈新老客户创新互联还提供了平罗免费建站欢迎大家使用!
工作机制
Qlog可以从ETW读取数据,并将丰富的事件信息写入Qlog的事件通道,工具将会创建并使用名为“QMonitor”的新事件源,并写入Windows事件日志中。
以下是Qlog的事件处理顺序:
- 创建ETW会话,并订阅相关内核和用户区ETW Provider;
- 从ETW提供程序读取事件;
- 丰富的事件支持;
- 将丰富的事件写入事件日志通道QLOG;
工具依赖&安装&使用
Qlog的运行需要在本地系统中安装并配置好.NET Framework >= 4.7.2环境。
接下来,我们需要使用下列命令将该项目克隆至本地:
- git clone https://github.com/threathunters-io/QLOG.git
接下来,我们可以使用下列命令以交互式终端模式运行Qlog:
- qlog.exe
或者,以Windows服务的方式运行:
- #安装服务
- qlog.exe -i
- #卸载服务
- qlog.exe -u
进程处理事件数据输出
- {
- "EventGuid": "68795fe8-67e7-410b-a5c0-8364746d7ffe",
- "StartTime": "2021-07-11T11:06:56.9621746+02:00",
- "QEventID": 100,
- "QType": "Process Create",
- "Username": "TESTOS\\TESTUSER",
- "Imagefilename": "TEAMS.EXE",
- "KernelImagefilename": "TEAMS.EXE",
- "OriginalFilename": "TEAMS.EXE",
- "Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
- "PID": 21740,
- "Commandline": "\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1668,499009601563875864,12511830007210419647,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=de --enable-wer --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users\\jocke",
- "Modulecount": 41,
- "TTPHash": "42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
- "Imphash": "F14F00FA1D4C82B933279C1A28957252",
- "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
- "md5": "9453BC2A9CC489505320312F4E6EC21E",
- "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
- "ProcessIntegrityLevel": "None",
- "isOndisk": true,
- "isRunning": true,
- "Signed": "Signature valid",
- "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
- "Signatures": [
- {
- "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:24:20",
- "NotAfter": "02.12.2021 22:24:20",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
- "TimestampSignatures": [
- {
- "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "12.11.2020 19:26:02",
- "NotAfter": "11.02.2022 19:26:02",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
- "Timestamp": "15.06.2021 00:39:50 +02:00"
- }
- ]
- },
- {
- "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:31:47",
- "NotAfter": "02.12.2021 22:31:47",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
- "TimestampSignatures": [
- {
- "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "14.01.2021 20:02:23",
- "NotAfter": "11.04.2022 21:02:23",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
- "Timestamp": "15.06.2021 00:39:53 +02:00"
- }
- ]
- }
- ],
- "ParentProcess": {
- "EventGuid": null,
- "StartTime": "2021-07-11T09:54:28.9558001+02:00",
- "QEventID": 100,
- "QType": "Process Create",
- "Username": "TEST-OS\\TESTUSER",
- "Imagefilename": "",
- "KernelImagefilename": "",
- "OriginalFilename": "TEAMS.EXE",
- "Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
- "PID": 16232,
- "Commandline": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe ",
- "Modulecount": 162,
- "TTPHash": "",
- "Imphash": "F14F00FA1D4C82B933279C1A28957252",
- "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
- "md5": "9453BC2A9CC489505320312F4E6EC21E",
- "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
- "ProcessIntegrityLevel": "Medium",
- "isOndisk": true,
- "isRunning": true,
- "Signed": "Signature valid",
- "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
- "Signatures": [
- {
- "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:24:20",
- "NotAfter": "02.12.2021 22:24:20",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
- "TimestampSignatures": [
- {
- "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "12.11.2020 19:26:02",
- "NotAfter": "11.02.2022 19:26:02",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
- "Timestamp": "15.06.2021 00:39:50 +02:00"
- }
- ]
- },
- {
- "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "15.12.2020 22:31:47",
- "NotAfter": "02.12.2021 22:31:47",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
- "TimestampSignatures": [
- {
- "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
- "NotBefore": "14.01.2021 20:02:23",
- "NotAfter": "11.04.2022 21:02:23",
- "DigestAlgorithmName": "SHA256",
- "Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
- "Timestamp": "15.06.2021 00:39:53 +02:00"
- }
- ]
- }
- ],
- "ParentProcess": null
- }
- }
项目地址
Qlog:【GitHub传送门】
参考资料:https://threathunters.io/
本文题目:Qlog:一款功能强大的Windows安全日志工具
本文网址:http://www.mswzjz.cn/qtweb/news17/32867.html
攀枝花网站建设、攀枝花网站运维推广公司-贝锐智能,是专注品牌与效果的网络营销公司;服务项目有等
声明:本网站发布的内容(图片、视频和文字)以用户投稿、用户转载内容为主,如果涉及侵权请尽快告知,我们将会在第一时间删除。文章观点不代表本网站立场,如需处理请联系客服。电话:028-86922220;邮箱:631063699@qq.com。内容未经允许不得转载,或转载时需注明来源: 贝锐智能
- OceanBase数据库的obca好过不
- 使用Redis计数器实现主键自增(redis计数器主键)
- 营销型网站建设提高网站转化率的方法
- Python3下数据库操作全解析(python3下数据库)
- 探索Linux系统下查看网络状态的方法(查看网络状态linux)
- Linux服务器架构优化之分区实践(linux服务器分区)
- 抖音视频加热有作用吗
- 孩子取名网站建设文案范本
- 如何设置html段落字体
- 创新互联GO教程:Go语言变量的初始化
- wow中托管是什么?(全球托管服务中心)
- Oracle自治数据库带来超强功能
- html如何使背景拉伸
- win7系统无法修改文件夹只读属性如何设置?windows7怎么改变文件只读属性
- ip中转和直连有啥区别?(CN2GIA线路是否有任何限制或限制?)