Security
Headlines
HeadlinesLatestCVEs

Headline

QLOG - Windows Security Logging

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-0CNZScA0sq4/YUON6V-lfQI/AAAAAAAAuug/xjavC5KDHcQVEUB8BmaMUVRy8ioMz3uUgCNcBGAsYHQ/s1500/code-light-keyboard.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1000" data-original-width="1500" height="426" src="https://1.bp.blogspot.com/-0CNZScA0sq4/YUON6V-lfQI/AAAAAAAAuug/xjavC5KDHcQVEUB8BmaMUVRy8ioMz3uUgCNcBGAsYHQ/w640-h426/code-light-keyboard.jpg" width="640" /></a></div><p><br /></p> <p>QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development and currently in alpha state. QLOG doesn’t use API hooks and it doesn’t require a driver to be installed on the target system, QLOG only uses ETW to retrieve its telemetry. Currently QLOG supports “process create” events only, but other enriched events will follow soon. QLOG runs as a Windows Services, but can also run in console mode, if you want to stream the enriched events to console directly.</p><span><a name=’more’></a></span><div><br /></div><span style="font-size: large;"><b>How does it work</b></span><br /> <p>QLOG reads from ETW, enriches events and writes enriched events to Event Channel “QLOG”. It creates and uses a new event source named “QMonitor” to write to Windows Eventlog.</p> <p>Here is sequence of event processing:</p> <ul> <li>Create ETW session & Subscribe to relevant kernel and <a href="https://www.kitploit.com/search/label/UserLAnd" target="_blank" title="userland">userland</a> ETW providers</li> <li>Read Events from ETW providers</li> <li>Enrich Events</li> <li>Write enriched events to eventlog channel QLOG</li> </ul> <br /><span style="font-size: large;"><b>Development & License</b></span><br /> <p>QLOG is being developed by threathunters.io community and will be open sourced once it reaches production grade maturity.</p> <br /><span style="font-size: large;"><b>Why we created QLOG?</b></span><br /> <p>Sysmon does a great job, but we wanted to create a tool which is open source and doesn’t require drivers to be installed on target systems. Also, Sysmon is NOT SUPPORTED by <a href="https://www.kitploit.com/search/label/Microsoft" target="_blank" title="Microsoft">Microsoft</a> at all. So, if you run into problems in prod, you’re at your own. Sure, QLOG doesn’t have support either, but it will be open sourced so we can fix issues with the power of the security community and develop new features based on the <a href="https://www.kitploit.com/search/label/Requirements" target="_blank" title="requirements">requirements</a> of the community.</p> <br /><span style="font-size: large;"><b>Usage & install</b></span><br /> <p>QLOG requires .NET Framework >=4.7.2 to be installed.</p> <p>To run in interactive console mode, just run</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="qlog.exe “><pre><code>qlog.exe<br /></code></pre></div> <p>To install / deinstall as Windows service, run:</p> <div class="snippet-clipboard-content position-relative” data-snippet-clipboard-copy-content="#install service qlog.exe -i #deinstall service qlog.exe -u “><pre><code>#install service<br />qlog.exe -i <br /><br />#deinstall service<br />qlog.exe -u <br /></code></pre></div> <br /><span style="font-size: large;"><b>Do you want to contribute?</b></span><br /> <p>Please see <a href="https://threathunters.io/” rel="nofollow" target="_blank" title="https://threathunters.io/">https://threathunters.io/</a> on how to join threathunters.io community.</p> <br /><span style="font-size: large;"><b>Example output of enriched PROCESS CREATE events</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{ "EventGuid": "68795fe8-67e7-410b-a5c0-8364746d7ffe", "StartTime": "2021-07-11T11:06:56.9621746+02:00", "QEventID": 100, "QType": "Process Create", "Username": "TESTOS\TESTUSER", "Imagefilename": "TEAMS.EXE", "KernelImagefilename": "TEAMS.EXE", "OriginalFilename": "TEAMS.EXE", "Fullpath": "C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "PID": 21740, "Commandline": "&quot;C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe&quot; --type=renderer --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1668,499009601563875864,12511830007210419647,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=de --enable-wer --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=&quot;C:\Users\jocke", "Modulecount": 41, "TTPHash": "42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F", "Imphash": "F14F00FA1D4C82B933279C1A28957252", "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2", "md5": "9453BC2A9CC489505320312F4E6EC21E", "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E", "ProcessIntegrityLevel": "None", "isOndisk": true, "isRunning": true, "Signed": "Signature valid", "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11", "Signatures": [ { "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "15.12.2020 22:24:20", "NotAfter": "02.12.2021 22:24:20", "DigestAlgorithmName": "SHA256", "Thumbprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2", "TimestampSignatures": [ { "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "12.11.2020 19:26:02", "NotAfter": "11.02.2022 19:26:02", "DigestAlgorithmName": "SHA256", "Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8", "Timestamp": “15.06.2021 00:39:50 +02:00” } ] }, { "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "15.12.2020 22:31:47", "NotAfter": "02.12.2021 22:31:47", "DigestAlgorithmName": "SHA256", "Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4", "TimestampSignatures": [ { "Subject": “CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft <a title="Operations” href="https://www.kitploit.com/search/label/Operations">Operations</a> Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "14.01.2021 20:02:23", "NotAfter": "11.04.2022 21:02:23", "DigestAlgorithmName": "SHA256", "Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF", "Timestamp": “15.06.2021 00:39:53 +02:00” } ] } ], "ParentProcess": { "EventGuid": null, "StartTime": "2021-07-11T09:54:28.9558001+02:00", "QEventID": 100, "QType": "Process Create", "Username": "TEST-OS\TESTUSER", "Imagefilename": "", "KernelImagefilename": "", "OriginalFilename": "TEAMS.EXE", "Fullpath": "C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "PID": 16232, "Commandline": "C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe ", "Modulecount": 162, "TTPHash": "", "Imphash": "F14F00FA1D4C82B933279C1A28957252", "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2", "md5": "9453BC2A9CC489505320312F4E6EC21E", "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E", "ProcessIntegrityLevel": "Medium", "isOndisk": true, "isRunning": true, "Signed": "Signature valid", "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11", "Signatures": [ { "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "15.12.2020 22:24:20", "NotAfter": "02.12.2021 22:24:20", "DigestAlgorithmName": "SHA256", "Thumbprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2", "TimestampSignatures": [ { "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "12.11.2020 19:26:02", "NotAfter": "11.02.2022 19:26:02", "DigestAlgorithmName": "SHA256", "Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8", "Timestamp": “15.06.2021 00:39:50 +02:00” } ] }, { "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "15.12.2020 22:31:47", "NotAfter": "02.12.2021 22:31:47", "DigestAlgorithmName": "SHA256", "Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4", "TimestampSignatures": [ { "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", "NotBefore": "14.01.2021 20:02:23", "NotAfter": "11.04.2022 21:02:23", "DigestAlgorithmName": "SHA256", "Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF", "Timestamp": “15.06.2021 00:39:53 +02:00” } ] } ], "ParentProcess": null } } "><pre><code>{<br /> "EventGuid": "68795fe8-67e7-410b-a5c0-8364746d7ffe",<br /> "StartTime": "2021-07-11T11:06:56.9621746+02:00",<br /> "QEventID": 100,<br /> "QType": "Process Create",<br /> "Username": "TESTOS\TESTUSER",<br /> "Imagefilename": "TEAMS.EXE",<br /> "KernelImagefilename": "TEAMS.EXE",<br /> "OriginalFilename": "TEAMS.EXE",<br /> "Fullpath": "C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe",<br /> "PID": 21740,<br /> "Commandline": “"C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe” --type=renderer --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1668,499009601563875864,12511830007210419647,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=de --enable-wer --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users \jocke",<br /> "Modulecount": 41,<br /> "TTPHash": "42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",<br /> "Imphash": "F14F00FA1D4C82B933279C1A28957252",<br /> "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",<br /> "md5": "9453BC2A9CC489505320312F4E6EC21E",<br /> "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",<br /> "ProcessIntegrityLevel": "None",<br /> "isOndisk": true,<br /> "isRunning": true,<br /> "Signed": "Signature valid",<br /> "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",<br /> "Signatures": [<br /> {<br /> "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "15.12.2020 22:24:20",<br /> "NotAfter": "02.12.2021 22:24:20",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": "E8C15B 4C98AD91E051EE5AF5F524A8729050B2A2",<br /> "TimestampSignatures": [<br /> {<br /> "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "12.11.2020 19:26:02",<br /> "NotAfter": "11.02.2022 19:26:02",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",<br /> "Timestamp": "15.06.2021 00:39:50 +02:00"<br /> }<br /> ]<br /> },<br /> {<br /> "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "15.12.2020 22:31:47",<br /> "NotAfter": "02. 12.2021 22:31:47",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",<br /> "TimestampSignatures": [<br /> {<br /> "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "14.01.2021 20:02:23",<br /> "NotAfter": "11.04.2022 21:02:23",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",<br /> "Timestamp": "15.06.2021 00:39:53 +02:00"<br /> }<br /> ]<br /> }<br /> ],<br /> "ParentProcess": {<br /> "EventGuid": null,<br /> "StartTime": "2021-07-11T09:54:28.9558001+02:00",<br /> "QEventID": 100,<br /> "QType": "Process Create",<br /> "Username": "TEST- OS\TESTUSER",<br /> "Imagefilename": "",<br /> "KernelImagefilename": "",<br /> "OriginalFilename": "TEAMS.EXE",<br /> "Fullpath": "C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe",<br /> "PID": 16232,<br /> "Commandline": "C:\Users\TESTUSER\AppData\Local\Microsoft\Teams\current\Teams.exe ",<br /> "Modulecount": 162,<br /> "TTPHash": "",<br /> "Imphash": "F14F00FA1D4C82B933279C1A28957252",<br /> "sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",<br /> "md5": "9453BC2A9CC489505320312F4E6EC21E",<br /> "sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",<br /> "ProcessIntegrityLevel": "Medium",<br /> "isOndisk": true,<br /> "isRunning": true,<br /> "Signed": "Signature valid",<br /> "AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",<br /> "Signatures": [<br /> {<br /> "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=W ashington, C=US",<br /> "Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "15.12.2020 22:24:20",<br /> "NotAfter": "02.12.2021 22:24:20",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",<br /> "TimestampSignatures": [<br /> {<br /> "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "12.11.2020 19:26:02",<br /> "NotAfter": "11.02.2022 19:26:02",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",<br /> "Timestamp": "15.06.2021 00:39:50 +02:00"<br /> }<br /> ]<br /> },<br /> {<br /> "Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "15.12.2020 22:31:47",<br /> "NotAfter": "02.12.2021 22:31:47",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",<br /> "TimestampSignatures": [<br /> {<br /> "Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",<br /> "NotBefore": "14.01.2021 20:02:23",<br /> "NotAfter": "11.04.2022 21:02:23",<br /> "DigestAlgorithmName": "SHA256",<br /> "Thumbprint": “ED2C601EDD49DD2A934D2AB32DCACC19940161EF",<br /> “Timestamp": “15.06.2021 00:39:53 +02:00"<br /> }<br /> ]<br /> }<br /> ],<br /> “ParentProcess": null<br /> }<br />}<br /></code></pre></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download” href="https://github.com/threathunters-io/QLOG” rel="nofollow” target="_blank” title="Download QLOG">Download QLOG</a></span></b></div>

kitploit
#QLOG#Requirements#Security#Sysmon#UserLAnd#Windows

kitploit: Latest News

JadedWraith - Light-weight UNIX Backdoor