黑客24小时在线接单的网站

黑客24小时在线接单的网站

2022年04月03日 16:41:00

Qlog:一款功能强大的Windows安全日志工具

关于Qlog

Qlog强大的功能Windows安全日志工具,该工具可以为Windows操作系统中的安全相关事件提供了丰富的事件日志记录功能。该工具仍处于积极开发状态,当前版本为Alpha版本。Qlog没有使用API不需要在目标系统上安装驱动程序,Qlog指挥使用ETW检索遥测数据。当前版本Qlog仅支持“进程创建”事件之后会增加更丰富的事件支持。Qlog可以看作为Windows服务运行,但也可以在控制台模式下运行,因此我们可以直接将丰富的事件信息传输到控制台进行处理。

工作机制

Qlog可以从ETW读取数据,并将丰富的事件信息写入Qlog工具将创建和使用被称为事件通道的工具“QMonitor”并写入新事件源Windows事件日志。

以下是Qlog事件处理顺序:

                   
  • 创建ETW会议并订阅相关内核和用户区ETW Provider;
    •                
  • 从ETW提供程序读取事件;
    •                
  • 事件支持丰富;
    •                
  • 将丰富的事件写入事件日志通道QLOG;

工具依赖&安装&使用

Qlog本地系统需要安装和配置运行.NET Framework >= 4.7.2环境。

接下来,我们需要使用以下命令项目克隆到当地:

  • gitclonehttps://github.com/threathunters-io/QLOG.git

    • 接下来,我们可以使用以下命令以交互式终端模式运行Qlog:

  • qlog.exe

    • 或者,以Windows运行服务模式:

  • #安装服务
  • qlog.exe-i
  • #卸载服务
  • qlog.exe-u

    • 处理事件数据输出过程

  • {
  • "EventGuid":"68795fe8-67e7-410b-a5c0-8364746d7ffe",
  • "StartTime":"2021-07-11T11:06:56.9621746 02:00",
  • "QEventID":100,
  • "QType":"ProcessCreate",
  • "Username":"TESTOS\\TESTUSER",
  • "Imagefilename":"TEAMS.EXE",
  • "KernelImagefilename":"TEAMS.EXE",
  • "OriginalFilename":"TEAMS.EXE",
  • "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
  • "PID":21740,
  • "Commandline":"\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\"--type=renderer--autoplay-policy=no-user-gesture-required--disable-background-timer-throttling--field-trial-handle=1668,499009601563875864,12511830007210419647,131072--enable-features=WebComponentsV0Enabled--disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess--lang=de--enable-wer--ms-teams-less-cors=522133263--app-user-model-id=com.squirrel.Teams.Teams--app-path=\"C:\\Users\\jocke",
  • "Modulecount":41,
  • "TTPHash":"42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
  • "Imphash":"F14F00FA1D4C82B933279C1A28957252",
  • "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
  • "md5":"9453BC2A9CC489505320312F4E6EC21E",
  • "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
  • "ProcessIntegrityLevel":"None",
  • "isOndisk":true,
  • "isRunning":true,
  • "Signed":"Signaturevalid",
  • "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
  • "Signatures":[
  • {
  • "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"15.12.202022:24:20",
  • "NotAfter":"02.12.202122:24:20",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
  • "TimestampSignatures":[
  • {
  • "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"12.11.202019:26:02",
  • "NotAfter":"11.02.202219:26:02",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
  • "Timestamp":"15.06.202100:39:50 02:00"
  • }
  • ]
  • },
  • {
  • "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"15.12.202022:31:47",
  • "NotAfter":"02.12.202122:31:47",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
  • "TimestampSignatures":[
  • {
  • "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"14.01.202120:02:23",
  • "NotAfter":"11.04.202221:02:23",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
  • "Timestamp":"15.06.202100:39:53 02:00"
  • }
  • ]
  • }
  • ],
  • "ParentProcess":{
  • "EventGuid":null,
  • "StartTime":"2021-07-11T09:54:28.9558001 02:00",
  • "QEventID":100,
  • "QType":"ProcessCreate",
  • "Username":"TEST-OS\\TESTUSER",
  • "Imagefilename":"",
  • "KernelImagefilename":"",
  • "OriginalFilename":"TEAMS.EXE",
  • "Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
  • "PID":16232,
  • "Commandline":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
  • "Modulecount":162,
  • "TTPHash":"",
  • "Imphash":"F14F00FA1D4C82B933279C1A28957252",
  • "sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
  • "md5":"9453BC2A9CC489505320312F4E6EC21E",
  • "sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",
  • "ProcessIntegrityLevel":"Medium",
  • "isOndisk":true,
  • "isRunning":true,
  • "Signed":"Signaturevalid",
  • "AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
  • "Signatures":[
  • {
  • "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftCodeSigningPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"15.12.202022:24:20",
  • "NotAfter":"02.12.202122:24:20",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
  • "TimestampSignatures":[
  • {
  • "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:3BBD-E338-E9A1,OU=MicrosoftAmericaOperations,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"12.11.202019:26:02",
  • "NotAfter":"11.02.202219:26:02",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",
  • "Timestamp":"15.06.202100:39:50 02:00"
  • }
  • ]
  • },
  • {
  • "Subject":"CN=MicrosoftCorporation,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftCodeSigningPCA2011,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"15.12.202022:31:47",
  • "NotAfter":"02.12.202122:31:47",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
  • "TimestampSignatures":[
  • {
  • "Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87A-E374-D7B9,OU=MicrosoftOperationsPuertoRico,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "Issuer":"CN=MicrosoftTime-StampPCA2010,O=MicrosoftCorporation,L=Redmond,S=Washington,C=US",
  • "NotBefore":"14.01.202120:02:23",
  • "NotAfter":"11.04.202221:02:23",
  • "DigestAlgorithmName":"SHA256",
  • "Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
  • "Timestamp":"15.06.202100:39:53 02:00"
  • }
  • ]
  • }
  • ],
  • "ParentProcess":null
  • }
  • }

    • 项目地址

    Qlog:【GitHub传送门】

    参考资料:https://threathunters.io/

       

    标签:安全工具 Qlog 安全日志工具 

    作者:访客 , 分类:缓冲区溢出 , 浏览:887 , 评论:1

    • 评论列表:
    •  弦久颜于
       发布于 2022-06-09 00:35:44  回复该评论
    • 25D30AF9AC2F116B3C1FB88EE00A4","TimestampSignatures":[{"Subject":"CN=MicrosoftTime-StampService,OU=ThalesTSSESN:F87

    发表评论:

    Powered By

    Copyright Your WebSite.Some Rights Reserved.