Qlog：一款功能强大的Windows安全日志工具

关于Qlog

Qlog是一款功能强大的Windows安全日志工具，该工具可以为Windows操作系统上的安全相关事件提供丰富的事件日志记录功能。该工具目前仍处于积极开发状态，当前版本为Alpha版本。Qlog没有使用API钩子技术，也不需要在目标系统上安装驱动程序，Qlog指挥使用ETW检索遥测数据。当前版本的Qlog仅支持“进程创建”事件，之后还会添加更多丰富的事件支持。Qlog可以看作为Windows服务运行，但也可以在控制台模式下运行，因此我们可以将丰富的事件信息直接传输到控制台进行处理。

工作机制

Qlog可以从ETW读取数据，并将丰富的事件信息写入Qlog的事件通道，工具将会创建并使用名为“QMonitor”的新事件源，并写入Windows事件日志中。

以下是Qlog的事件处理顺序：

• 创建ETW会话，并订阅相关内核和用户区ETW Provider;
• 从ETW提供程序读取事件;
• 丰富的事件支持;
• 将丰富的事件写入事件日志通道QLOG;

工具依赖&安装&使用

Qlog的运行需要在本地系统中安装并配置好.NET Framework >= 4.7.2环境。

接下来，我们需要使用下列命令将该项目克隆至本地：

1. gitclonehttps://github.com/threathunters-io/QLOG.git

接下来，我们可以使用下列命令以交互式终端模式运行Qlog：

1. qlog.exe

或者，以Windows服务的方式运行：

1. #安装服务
2. qlog.exe-i
3. #卸载服务
4. qlog.exe-u

进程处理事件数据输出

1. {
2. "EventGuid":"68795fe8-67e7-410b-a5c0-8364746d7ffe",
3. "StartTime":"2021-07-11T11:06:56.9621746+02:00",
4. "QEventID":100,
5. "QType":"ProcessCreate",
6. "Username":"TESTOS\\TESTUSER",
7. "Imagefilename":"TEAMS.EXE",
8. "KernelImagefilename":"TEAMS.EXE",
9. "OriginalFilename":"TEAMS.EXE",
10. "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
11. "PID":21740,
12. "Commandline":"\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\"--type=renderer--autoplay-policy=no-user-gesture-required--disable-background-timer-throttling--field-trial-handle=1668,499009601563875864,12511830007210419647,131072--enable-features=WebComponentsV0Enabled--disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess--lang=de--enable-wer--ms-teams-less-cors=522133263--app-user-model-id=com.squirrel.Teams.Teams--app-path=\"C:\\Users\\jocke",
13. "Modulecount":41,
14. "TTPHash":"42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
15. "Imphash":"F14F00FA1D4C82B933279C1A28957252",
16. "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
17. "md5":"9453BC2A9CC489505320312F4E6EC21E",
18. "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
19. "ProcessIntegrityLevel":"None",
20. "isOndisk":true,
21. "isRunning":true,
22. "Signed":"Signaturevalid",
23. "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
24. "Signatures":[
25. {
26. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
27. "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
28. "NotBefore":"15.12.202022:24:20",
29. "NotAfter":"02.12.202122:24:20",
30. "DigestAlgorithmName":"SHA256",
31. "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
32. "TimestampSignatures":[
33. {
34. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
35. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
36. "NotBefore":"12.11.202019:26:02",
37. "NotAfter":"11.02.202219:26:02",
38. "DigestAlgorithmName":"SHA256",
39. "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
40. "Timestamp":"15.06.202100:39:50+02:00"
41. }
42. ]
43. },
44. {
45. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
46. "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
47. "NotBefore":"15.12.202022:31:47",
48. "NotAfter":"02.12.202122:31:47",
49. "DigestAlgorithmName":"SHA256",
50. "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
51. "TimestampSignatures":[
52. {
53. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
54. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
55. "NotBefore":"14.01.202120:02:23",
56. "NotAfter":"11.04.202221:02:23",
57. "DigestAlgorithmName":"SHA256",
58. "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
59. "Timestamp":"15.06.202100:39:53+02:00"
60. }
61. ]
62. }
63. ],
64. "ParentProcess":{
65. "EventGuid":null,
66. "StartTime":"2021-07-11T09:54:28.9558001+02:00",
67. "QEventID":100,
68. "QType":"ProcessCreate",
69. "Username":"TEST-OS\\TESTUSER",
70. "Imagefilename":"",
71. "KernelImagefilename":"",
72. "OriginalFilename":"TEAMS.EXE",
73. "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
74. "PID":16232,
75. "Commandline":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
76. "Modulecount":162,
77. "TTPHash":"",
78. "Imphash":"F14F00FA1D4C82B933279C1A28957252",
79. "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
80. "md5":"9453BC2A9CC489505320312F4E6EC21E",
81. "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
82. "ProcessIntegrityLevel":"Medium",
83. "isOndisk":true,
84. "isRunning":true,
85. "Signed":"Signaturevalid",
86. "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
87. "Signatures":[
88. {
89. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
90. "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
91. "NotBefore":"15.12.202022:24:20",
92. "NotAfter":"02.12.202122:24:20",
93. "DigestAlgorithmName":"SHA256",
94. "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
95. "TimestampSignatures":[
96. {
97. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
98. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
99. "NotBefore":"12.11.202019:26:02",
100. "NotAfter":"11.02.202219:26:02",
101. "DigestAlgorithmName":"SHA256",
102. "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
103. "Timestamp":"15.06.202100:39:50+02:00"
104. }
105. ]
106. },
107. {
108. "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
109. "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
110. "NotBefore":"15.12.202022:31:47",
111. "NotAfter":"02.12.202122:31:47",
112. "DigestAlgorithmName":"SHA256",
113. "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
114. "TimestampSignatures":[
115. {
116. "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
117. "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
118. "NotBefore":"14.01.202120:02:23",
119. "NotAfter":"11.04.202221:02:23",
120. "DigestAlgorithmName":"SHA256",
121. "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
122. "Timestamp":"15.06.202100:39:53+02:00"
123. }
124. ]
125. }
126. ],
127. "ParentProcess":null
128. }
129. }

项目地址

Qlog：【GitHub传送门】

参考资料：https://threathunters.io/