關(guān)于Qlog

Qlog是一款功能強(qiáng)大的Windows安全日志工具，該工具可以為Windows操作系統(tǒng)上的安全相關(guān)事件提供豐富的事件日志記錄功能。該工具目前仍處于積極開(kāi)發(fā)狀態(tài)，當(dāng)前版本為Alpha版本。Qlog沒(méi)有使用API鉤子技術(shù)，也不需要在目標(biāo)系統(tǒng)上安裝驅(qū)動(dòng)程序，Qlog指揮使用ETW檢索遙測(cè)數(shù)據(jù)。當(dāng)前版本的Qlog僅支持“進(jìn)程創(chuàng)建”事件，之后還會(huì)添加更多豐富的事件支持。Qlog可以看作為Windows服務(wù)運(yùn)行，但也可以在控制臺(tái)模式下運(yùn)行，因此我們可以將豐富的事件信息直接傳輸?shù)娇刂婆_(tái)進(jìn)行處理。

工作機(jī)制

Qlog可以從ETW讀取數(shù)據(jù)，并將豐富的事件信息寫(xiě)入Qlog的事件通道，工具將會(huì)創(chuàng)建并使用名為“QMonitor”的新事件源，并寫(xiě)入Windows事件日志中。

以下是Qlog的事件處理順序：

創(chuàng)建ETW會(huì)話(huà)，并訂閱相關(guān)內(nèi)核和用戶(hù)區(qū)ETW Provider; 從ETW提供程序讀取事件; 豐富的事件支持; 將豐富的事件寫(xiě)入事件日志通道QLOG; 工具依賴(lài)&安裝&使用

Qlog的運(yùn)行需要在本地系統(tǒng)中安裝并配置好.NET Framework >= 4.7.2環(huán)境。

接下來(lái)，我們需要使用下列命令將該項(xiàng)目克隆至本地：

gitclonehttps://github.com/threathunters-io/QLOG.git

接下來(lái)，我們可以使用下列命令以交互式終端模式運(yùn)行Qlog：

qlog.exe

或者，以Windows服務(wù)的方式運(yùn)行： #安裝服務(wù)   qlog.exe-i   #卸載服務(wù)   qlog.exe-u 進(jìn)程處理事件數(shù)據(jù)輸出 {   "EventGuid":"68795fe8-67e7-410b-a5c0-8364746d7ffe",   "StartTime":"2021-07-11T11:06:56.9621746+02:00",   "QEventID":100,   "QType":"ProcessCreate",   "Username":"TESTOS\\TESTUSER",   "Imagefilename":"TEAMS.EXE",   "KernelImagefilename":"TEAMS.EXE",   "OriginalFilename":"TEAMS.EXE",   "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",   "PID":21740,   "Commandline":"\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\"--type=renderer--autoplay-policy=no-user-gesture-required--disable-background-timer-throttling--field-trial-handle=1668,499009601563875864,12511830007210419647,131072--enable-features=WebComponentsV0Enabled--disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess--lang=de--enable-wer--ms-teams-less-cors=522133263--app-user-model-id=com.squirrel.Teams.Teams--app-path=\"C:\\Users\\jocke",   "Modulecount":41,   "TTPHash":"42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",   "Imphash":"F14F00FA1D4C82B933279C1A28957252",   "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",   "md5":"9453BC2A9CC489505320312F4E6EC21E",   "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",   "ProcessIntegrityLevel":"None",   "isOndisk":true,   "isRunning":true,   "Signed":"Signaturevalid",   "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",   "Signatures":[   {   "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"15.12.202022:24:20",   "NotAfter":"02.12.202122:24:20",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",   "TimestampSignatures":[   {   "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"12.11.202019:26:02",   "NotAfter":"11.02.202219:26:02",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",   "Timestamp":"15.06.202100:39:50+02:00"   }   ]   },   {   "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"15.12.202022:31:47",   "NotAfter":"02.12.202122:31:47",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",   "TimestampSignatures":[   {   "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"14.01.202120:02:23",   "NotAfter":"11.04.202221:02:23",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",   "Timestamp":"15.06.202100:39:53+02:00"   }   ]   }   ],   "ParentProcess":{   "EventGuid":null,   "StartTime":"2021-07-11T09:54:28.9558001+02:00",   "QEventID":100,   "QType":"ProcessCreate",   "Username":"TEST-OS\\TESTUSER",   "Imagefilename":"",   "KernelImagefilename":"",   "OriginalFilename":"TEAMS.EXE",   "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",   "PID":16232,   "Commandline":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",   "Modulecount":162,   "TTPHash":"",   "Imphash":"F14F00FA1D4C82B933279C1A28957252",   "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",   "md5":"9453BC2A9CC489505320312F4E6EC21E",   "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",   "ProcessIntegrityLevel":"Medium",   "isOndisk":true,   "isRunning":true,   "Signed":"Signaturevalid",   "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",   "Signatures":[   {   "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"15.12.202022:24:20",   "NotAfter":"02.12.202122:24:20",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",   "TimestampSignatures":[   {   "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"12.11.202019:26:02",   "NotAfter":"11.02.202219:26:02",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",   "Timestamp":"15.06.202100:39:50+02:00"   }   ]   },   {   "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"15.12.202022:31:47",   "NotAfter":"02.12.202122:31:47",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",   "TimestampSignatures":[   {   "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",   "NotBefore":"14.01.202120:02:23",   "NotAfter":"11.04.202221:02:23",   "DigestAlgorithmName":"SHA256",   "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",   "Timestamp":"15.06.202100:39:53+02:00"   }   ]   }   ],   "ParentProcess":null   }   }

文章標(biāo)題：Qlog：一款功能強(qiáng)大的Windows安全日志工具
文章鏈接：http://aaarwkj.com/news/204439.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供響應(yīng)式網(wǎng)站、品牌網(wǎng)站制作、搜索引擎優(yōu)化、網(wǎng)站策劃、網(wǎng)站收錄、手機(jī)網(wǎng)站建設(shè)

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀(guān)點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話(huà)：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)