Qlog:一款功能强大的Windows安全日志工具
<h3>关于Qlog
</h3>
<p>
Qlog是一款功能强大的Windows安全日志工具,该工具可以为Windows操作系统上的安全相关事件提供丰富的事件日志记录功能。该工具目前仍处于积极开发状态,当前版本为Alpha版本。Qlog没有使用API钩子技术,也不需要在目标系统上安装驱动程序,Qlog指挥使用ETW检索遥测数据。当前版本的Qlog仅支持“进程创建”事件,之后还会添加更多丰富的事件支持。Qlog可以看作为Windows服务运行,但也可以在控制台模式下运行,因此我们可以将丰富的事件信息直接传输到控制台进行处理。</p>
<p>
<img title="Qlog:一款功能强大的Windows安全日志工具" alt="Qlog:一款功能强大的Windows安全日志工具" border="0" src="https://zhuji.jb51.net/uploads/img/202305/a46eb750e5e724ed057e30f6f19cf58d.jpg"></p>
<h3>
工作机制</h3>
<p>
Qlog可以从ETW读取数据,并将丰富的事件信息写入Qlog的事件通道,工具将会创建并使用名为“QMonitor”的新事件源,并写入Windows事件日志中。</p>
<p>
以下是Qlog的事件处理顺序:</p>
<ul>
<li>
创建ETW会话,并订阅相关内核和用户区ETW Provider;</li>
<li>
从ETW提供程序读取事件;</li>
<li>
丰富的事件支持;</li>
<li>
将丰富的事件写入事件日志通道QLOG;</li>
</ul>
<h3>
工具依赖&安装&使用</h3>
<p>
Qlog的运行需要在本地系统中安装并配置好.NET Framework >= 4.7.2环境。</p>
<p>
接下来,我们需要使用下列命令将该项目克隆至本地:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>gitclonehttps://github.com/threathunters-io/QLOG.git</span></span>
</li>
</ol>
<p>
接下来,我们可以使用下列命令以交互式终端模式运行Qlog:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>qlog.exe</span></span>
</li>
</ol>
<p>
或者,以Windows服务的方式运行:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>#安装服务</span></span>
</li>
<li>
</li>
<li class="alt">
<span>qlog.exe-i</span>
</li>
<li>
</li>
<li class="alt">
<span>#卸载服务</span>
</li>
<li>
</li>
<li class="alt">
<span>qlog.exe-u</span>
</li>
</ol>
<h3>
进程处理事件数据输出</h3>
<ol class="dp-xml">
<li class="alt">
<span><span>{</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"EventGuid":"68795fe8-67e7-410b-a5c0-8364746d7ffe",</span>
</li>
<li>
</li>
<li class="alt">
<span>"StartTime":"2021-07-11T11:06:56.9621746+02:00",</span>
</li>
<li>
</li>
<li class="alt">
<span>"QEventID":100,</span>
</li>
<li>
</li>
<li class="alt">
<span>"QType":"ProcessCreate",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Username":"TESTOS\\TESTUSER",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Imagefilename":"TEAMS.EXE",</span>
</li>
<li>
</li>
<li class="alt">
<span>"KernelImagefilename":"TEAMS.EXE",</span>
</li>
<li>
</li>
<li class="alt">
<span>"OriginalFilename":"TEAMS.EXE",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",</span>
</li>
<li>
</li>
<li class="alt">
<span>"PID":21740,</span>
</li>
<li>
</li>
<li class="alt">
<span>"Commandline":"\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\"<span class="attribute">--type</span><span>=</span><span class="attribute-value">renderer</span><span class="attribute">--autoplay-policy</span><span>=</span><span class="attribute-value">no</span><span>-user-gesture-required--disable-background-timer-throttling</span><span class="attribute">--field-trial-handle</span><span>=</span><span class="attribute-value">1668</span><span>,499009601563875864,12511830007210419647,131072</span><span class="attribute">--enable-features</span><span>=</span><span class="attribute-value">WebComponentsV0Enabled</span><span class="attribute">--disable-features</span><span>=</span><span class="attribute-value">CookiesWithoutSameSiteMustBeSecure</span><span>,SameSiteByDefaultCookies,SpareRendererForSitePerProcess</span><span class="attribute">--lang</span><span>=</span><span class="attribute-value">de</span><span>--enable-wer</span><span class="attribute">--ms-teams-less-cors</span><span>=</span><span class="attribute-value">522133263</span><span class="attribute">--app-user-model-id</span><span>=</span><span class="attribute-value">com</span><span>.squirrel.Teams.Teams</span><span class="attribute">--app-path</span><span>=\"C:\\Users\\jocke",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Modulecount":41,</span>
</li>
<li>
</li>
<li class="alt">
<span>"TTPHash":"42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Imphash":"F14F00FA1D4C82B933279C1A28957252",</span>
</li>
<li>
</li>
<li class="alt">
<span>"sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",</span>
</li>
<li>
</li>
<li class="alt">
<span>"md5":"9453BC2A9CC489505320312F4E6EC21E",</span>
</li>
<li>
</li>
<li class="alt">
<span>"sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",</span>
</li>
<li>
</li>
<li class="alt">
<span>"ProcessIntegrityLevel":"None",</span>
</li>
<li>
</li>
<li class="alt">
<span>"isOndisk":true,</span>
</li>
<li>
</li>
<li class="alt">
<span>"isRunning":true,</span>
</li>
<li>
</li>
<li class="alt">
<span>"Signed":"Signaturevalid",</span>
</li>
<li>
</li>
<li class="alt">
<span>"AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Signatures":[</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>CodeSigningPCA2010,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"15.12.202022:24:20",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"02.12.202122:24:20",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",</span>
</li>
<li>
</li>
<li class="alt">
<span>"TimestampSignatures":[</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampService,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Thales</span><span>TSSESN:3BBD-E338-E9A1,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Microsoft</span><span>AmericaOperations,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampPCA2010,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"12.11.202019:26:02",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"11.02.202219:26:02",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Timestamp":"15.06.202100:39:50+02:00"</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
<li>
</li>
<li class="alt">
<span>]</span>
</li>
<li>
</li>
<li class="alt">
<span>},</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>CodeSigningPCA2011,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"15.12.202022:31:47",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"02.12.202122:31:47",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",</span>
</li>
<li>
</li>
<li class="alt">
<span>"TimestampSignatures":[</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampService,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Thales</span><span>TSSESN:F87A-E374-D7B9,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Microsoft</span><span>OperationsPuertoRico,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampPCA2010,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"14.01.202120:02:23",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"11.04.202221:02:23",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Timestamp":"15.06.202100:39:53+02:00"</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
<li>
</li>
<li class="alt">
<span>]</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
<li>
</li>
<li class="alt">
<span>],</span>
</li>
<li>
</li>
<li class="alt">
<span>"ParentProcess":{</span>
</li>
<li>
</li>
<li class="alt">
<span>"EventGuid":null,</span>
</li>
<li>
</li>
<li class="alt">
<span>"StartTime":"2021-07-11T09:54:28.9558001+02:00",</span>
</li>
<li>
</li>
<li class="alt">
<span>"QEventID":100,</span>
</li>
<li>
</li>
<li class="alt">
<span>"QType":"ProcessCreate",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Username":"TEST-OS\\TESTUSER",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Imagefilename":"",</span>
</li>
<li>
</li>
<li class="alt">
<span>"KernelImagefilename":"",</span>
</li>
<li>
</li>
<li class="alt">
<span>"OriginalFilename":"TEAMS.EXE",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Fullpath":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",</span>
</li>
<li>
</li>
<li class="alt">
<span>"PID":16232,</span>
</li>
<li>
</li>
<li class="alt">
<span>"Commandline":"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Modulecount":162,</span>
</li>
<li>
</li>
<li class="alt">
<span>"TTPHash":"",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Imphash":"F14F00FA1D4C82B933279C1A28957252",</span>
</li>
<li>
</li>
<li class="alt">
<span>"sha256":"155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",</span>
</li>
<li>
</li>
<li class="alt">
<span>"md5":"9453BC2A9CC489505320312F4E6EC21E",</span>
</li>
<li>
</li>
<li class="alt">
<span>"sha1":"7219CB54AC535BA55BC1B202335A6291FDC2D76E",</span>
</li>
<li>
</li>
<li class="alt">
<span>"ProcessIntegrityLevel":"Medium",</span>
</li>
<li>
</li>
<li class="alt">
<span>"isOndisk":true,</span>
</li>
<li>
</li>
<li class="alt">
<span>"isRunning":true,</span>
</li>
<li>
</li>
<li class="alt">
<span>"Signed":"Signaturevalid",</span>
</li>
<li>
</li>
<li class="alt">
<span>"AuthenticodeHash":"B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Signatures":[</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>CodeSigningPCA2010,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"15.12.202022:24:20",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"02.12.202122:24:20",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",</span>
</li>
<li>
</li>
<li class="alt">
<span>"TimestampSignatures":[</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampService,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Thales</span><span>TSSESN:3BBD-E338-E9A1,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Microsoft</span><span>AmericaOperations,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampPCA2010,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"12.11.202019:26:02",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"11.02.202219:26:02",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"E8220CE2AAD2073A9C8CD78752775E29782AABE8",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Timestamp":"15.06.202100:39:50+02:00"</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
<li>
</li>
<li class="alt">
<span>]</span>
</li>
<li>
</li>
<li class="alt">
<span>},</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>CodeSigningPCA2011,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"15.12.202022:31:47",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"02.12.202122:31:47",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"C774204049D25D30AF9AC2F116B3C1FB88EE00A4",</span>
</li>
<li>
</li>
<li class="alt">
<span>"TimestampSignatures":[</span>
</li>
<li>
</li>
<li class="alt">
<span>{</span>
</li>
<li>
</li>
<li class="alt">
<span>"Subject":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampService,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Thales</span><span>TSSESN:F87A-E374-D7B9,</span><span class="attribute">OU</span><span>=</span><span class="attribute-value">Microsoft</span><span>OperationsPuertoRico,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"Issuer":"<span class="attribute">CN</span><span>=</span><span class="attribute-value">Microsoft</span><span>Time-StampPCA2010,</span><span class="attribute">O</span><span>=</span><span class="attribute-value">Microsoft</span><span>Corporation,</span><span class="attribute">L</span><span>=</span><span class="attribute-value">Redmond</span><span>,</span><span class="attribute">S</span><span>=</span><span class="attribute-value">Washington</span><span>,</span><span class="attribute">C</span><span>=</span><span class="attribute-value">US</span><span>",</span></span>
</li>
<li>
</li>
<li class="alt">
<span>"NotBefore":"14.01.202120:02:23",</span>
</li>
<li>
</li>
<li class="alt">
<span>"NotAfter":"11.04.202221:02:23",</span>
</li>
<li>
</li>
<li class="alt">
<span>"DigestAlgorithmName":"SHA256",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Thumbprint":"ED2C601EDD49DD2A934D2AB32DCACC19940161EF",</span>
</li>
<li>
</li>
<li class="alt">
<span>"Timestamp":"15.06.202100:39:53+02:00"</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
<li>
</li>
<li class="alt">
<span>]</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
<li>
</li>
<li class="alt">
<span>],</span>
</li>
<li>
</li>
<li class="alt">
<span>"ParentProcess":null</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
<li>
</li>
<li class="alt">
<span>}</span>
</li>
</ol>
<h3>
项目地址</h3>
<p>
Qlog:【GitHub传送门】</p>
<p>
参考资料:https://threathunters.io/</p>
<p>
原文链接:https://www.freebuf.com/articles/system/290653.html</p>
頁:
[1]