{"id":18645,"date":"2021-09-27T15:06:37","date_gmt":"2021-09-27T15:06:37","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=18645"},"modified":"2021-09-27T15:06:42","modified_gmt":"2021-09-27T15:06:42","slug":"qlog","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/qlog\/","title":{"rendered":"QLOG : Windows Security Logging"},"content":{"rendered":"\n<p><strong>QLOG <\/strong>provides enriched Event Logging for security related events on Windows based systems. It is under heavy development and currently in alpha state. QLOG doesn\u2019t use API hooks and it doesn\u2019t require a driver to be installed on the target system, QLOG only uses ETW to retrieve its telemetry. Currently QLOG supports \u201cprocess create\u201d events only, but other enriched events will follow soon. QLOG runs as a Windows Services, but can also run in console mode, if you want to stream the enriched events to console directly.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/threathunters-io\/QLOG#how-does-it-work\"><\/a><strong>How Does It Work<\/strong><\/p>\n\n\n\n<p>QLOG reads from ETW, enriches events and writes enriched events to Event Channel \u201cQLOG\u201d. It creates and uses a new event source named \u201cQMonitor\u201d to write to Windows Eventlog.<\/p>\n\n\n\n<p>Here is sequence of event processing:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Create ETW session &amp; Subscribe to relevant kernel and userland ETW providers<\/li><li>Read Events from ETW providers<\/li><li>Enrich Events<\/li><li>Write enriched events to eventlog channel QLOG<\/li><\/ul>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/threathunters-io\/QLOG#development--license\"><\/a><strong>Development &amp; License<\/strong><\/p>\n\n\n\n<p>QLOG is being developed by threathunters.io community and will be open sourced once it reaches production grade maturity.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/threathunters-io\/QLOG#why-we-created-qlog\"><\/a><strong>Why we created QLOG?<\/strong><\/p>\n\n\n\n<p>Sysmon does a great job, but we wanted to create a tool which is open source and doesn&#8217;t require drivers to be installed on target systems. Also, Sysmon is NOT SUPPORTED by Microsoft at all. So, if you run into problems in prod, you&#8217;re at your own. Sure, QLOG doesn&#8217;t have support either, but it will be open sourced so we can fix issues with the power of the security community and develop new features based on the requirements of the community.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/threathunters-io\/QLOG#usage--install\"><\/a><strong>Usage &amp; Install<\/strong><\/p>\n\n\n\n<p>QLOG requires .NET Framework &gt;=4.7.2 to be installed.<\/p>\n\n\n\n<p>To run in interactive console mode, just run<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">qlog.exe<\/p>\n\n\n\n<p>To install \/ deinstall as Windows service, run:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>#install service<br>qlog.exe -i<br>#deinstall service<br>qlog.exe -u<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Example Output Of Enriched PROCESS CREATE Events<\/strong><\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>{<br>&#8220;EventGuid&#8221;: &#8220;68795fe8-67e7-410b-a5c0-8364746d7ffe&#8221;,<br>&#8220;StartTime&#8221;: &#8220;2021-07-11T11:06:56.9621746+02:00&#8221;,<br>&#8220;QEventID&#8221;: 100,<br>&#8220;QType&#8221;: &#8220;Process Create&#8221;,<br>&#8220;Username&#8221;: &#8220;TESTOS\\TESTUSER&#8221;,<br>&#8220;Imagefilename&#8221;: &#8220;TEAMS.EXE&#8221;,<br>&#8220;KernelImagefilename&#8221;: &#8220;TEAMS.EXE&#8221;,<br>&#8220;OriginalFilename&#8221;: &#8220;TEAMS.EXE&#8221;,<br>&#8220;Fullpath&#8221;: &#8220;C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe&#8221;,<br>&#8220;PID&#8221;: 21740,<br>&#8220;Commandline&#8221;: &#8220;\\&#8221;C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\\&#8221; &#8211;type=renderer &#8211;autoplay-policy=no-user-gesture-required &#8211;disable-background-timer-throttling &#8211;field-trial-handle=1668,499009601563875864,12511830007210419647,131072 &#8211;enable-features=WebComponentsV0Enabled &#8211;disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess &#8211;lang=de &#8211;enable-wer &#8211;ms-teams-less-cors=522133263 &#8211;app-user-model-id=com.squirrel.Teams.Teams &#8211;app-path=\\&#8221;C:\\Users\\jocke&#8221;,<br>&#8220;Modulecount&#8221;: 41,<br>&#8220;TTPHash&#8221;: &#8220;42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F&#8221;,<br>&#8220;Imphash&#8221;: &#8220;F14F00FA1D4C82B933279C1A28957252&#8221;,<br>&#8220;sha256&#8221;: &#8220;155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2&#8221;,<br>&#8220;md5&#8221;: &#8220;9453BC2A9CC489505320312F4E6EC21E&#8221;,<br>&#8220;sha1&#8221;: &#8220;7219CB54AC535BA55BC1B202335A6291FDC2D76E&#8221;,<br>&#8220;ProcessIntegrityLevel&#8221;: &#8220;None&#8221;,<br>&#8220;isOndisk&#8221;: true,<br>&#8220;isRunning&#8221;: true,<br>&#8220;Signed&#8221;: &#8220;Signature valid&#8221;,<br>&#8220;AuthenticodeHash&#8221;: &#8220;B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11&#8221;,<br>&#8220;Signatures&#8221;: [<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;15.12.2020 22:24:20&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;02.12.2021 22:24:20&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;E8C15B4C98AD91E051EE5AF5F524A8729050B2A2&#8221;,<br>&#8220;TimestampSignatures&#8221;: [<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;12.11.2020 19:26:02&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;11.02.2022 19:26:02&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;E8220CE2AAD2073A9C8CD78752775E29782AABE8&#8221;,<br>&#8220;Timestamp&#8221;: &#8220;15.06.2021 00:39:50 +02:00&#8221;<br>}<br>]<br>},<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;15.12.2020 22:31:47&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;02.12.2021 22:31:47&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;C774204049D25D30AF9AC2F116B3C1FB88EE00A4&#8221;,<br>&#8220;TimestampSignatures&#8221;: [<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;14.01.2021 20:02:23&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;11.04.2022 21:02:23&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;ED2C601EDD49DD2A934D2AB32DCACC19940161EF&#8221;,<br>&#8220;Timestamp&#8221;: &#8220;15.06.2021 00:39:53 +02:00&#8221;<br>}<br>]<br>}<br>],<br>&#8220;ParentProcess&#8221;: {<br>&#8220;EventGuid&#8221;: null,<br>&#8220;StartTime&#8221;: &#8220;2021-07-11T09:54:28.9558001+02:00&#8221;,<br>&#8220;QEventID&#8221;: 100,<br>&#8220;QType&#8221;: &#8220;Process Create&#8221;,<br>&#8220;Username&#8221;: &#8220;TEST-OS\\TESTUSER&#8221;,<br>&#8220;Imagefilename&#8221;: &#8220;&#8221;,<br>&#8220;KernelImagefilename&#8221;: &#8220;&#8221;,<br>&#8220;OriginalFilename&#8221;: &#8220;TEAMS.EXE&#8221;,<br>&#8220;Fullpath&#8221;: &#8220;C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe&#8221;,<br>&#8220;PID&#8221;: 16232,<br>&#8220;Commandline&#8221;: &#8220;C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe &#8220;,<br>&#8220;Modulecount&#8221;: 162,<br>&#8220;TTPHash&#8221;: &#8220;&#8221;,<br>&#8220;Imphash&#8221;: &#8220;F14F00FA1D4C82B933279C1A28957252&#8221;,<br>&#8220;sha256&#8221;: &#8220;155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2&#8221;,<br>&#8220;md5&#8221;: &#8220;9453BC2A9CC489505320312F4E6EC21E&#8221;,<br>&#8220;sha1&#8221;: &#8220;7219CB54AC535BA55BC1B202335A6291FDC2D76E&#8221;,<br>&#8220;ProcessIntegrityLevel&#8221;: &#8220;Medium&#8221;,<br>&#8220;isOndisk&#8221;: true,<br>&#8220;isRunning&#8221;: true,<br>&#8220;Signed&#8221;: &#8220;Signature valid&#8221;,<br>&#8220;AuthenticodeHash&#8221;: &#8220;B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11&#8221;,<br>&#8220;Signatures&#8221;: [<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;15.12.2020 22:24:20&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;02.12.2021 22:24:20&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;E8C15B4C98AD91E051EE5AF5F524A8729050B2A2&#8221;,<br>&#8220;TimestampSignatures&#8221;: [<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;12.11.2020 19:26:02&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;11.02.2022 19:26:02&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;E8220CE2AAD2073A9C8CD78752775E29782AABE8&#8221;,<br>&#8220;Timestamp&#8221;: &#8220;15.06.2021 00:39:50 +02:00&#8221;<br>}<br>]<br>},<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;15.12.2020 22:31:47&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;02.12.2021 22:31:47&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;C774204049D25D30AF9AC2F116B3C1FB88EE00A4&#8221;,<br>&#8220;TimestampSignatures&#8221;: [<br>{<br>&#8220;Subject&#8221;: &#8220;CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;Issuer&#8221;: &#8220;CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&#8221;,<br>&#8220;NotBefore&#8221;: &#8220;14.01.2021 20:02:23&#8221;,<br>&#8220;NotAfter&#8221;: &#8220;11.04.2022 21:02:23&#8221;,<br>&#8220;DigestAlgorithmName&#8221;: &#8220;SHA256&#8221;,<br>&#8220;Thumbprint&#8221;: &#8220;ED2C601EDD49DD2A934D2AB32DCACC19940161EF&#8221;,<br>&#8220;Timestamp&#8221;: &#8220;15.06.2021 00:39:53 +02:00&#8221;<br>}<br>]<br>}<br>],<br>&#8220;ParentProcess&#8221;: null<br>}<br>}<\/strong><\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/threathunters-io\/QLOG\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development and currently in alpha state. QLOG doesn\u2019t use API hooks and it doesn\u2019t require a driver to be installed on the target system, QLOG only uses ETW to retrieve its telemetry. Currently QLOG supports \u201cprocess create\u201d events [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":18655,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[4216,4217,3714],"class_list":["post-18645","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-qlog","tag-security-logging","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>QLOG : Windows Security Logging !!! Kali Linux Tutorials<\/title>\n<meta name=\"description\" content=\"QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/qlog\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"QLOG : Windows Security Logging !!! Kali Linux Tutorials\" \/>\n<meta property=\"og:description\" content=\"QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/qlog\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-27T15:06:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-27T15:06:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"QLOG : Windows Security Logging\",\"datePublished\":\"2021-09-27T15:06:37+00:00\",\"dateModified\":\"2021-09-27T15:06:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/\"},\"wordCount\":992,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png\",\"keywords\":[\"QLOG\",\"Security Logging\",\"windows\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/qlog\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/qlog\/\",\"name\":\"QLOG : Windows Security Logging !!! Kali Linux Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png\",\"datePublished\":\"2021-09-27T15:06:37+00:00\",\"dateModified\":\"2021-09-27T15:06:42+00:00\",\"description\":\"QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/qlog\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png\",\"width\":\"539\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"QLOG : Windows Security Logging !!! Kali Linux Tutorials","description":"QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/qlog\/","og_locale":"en_US","og_type":"article","og_title":"QLOG : Windows Security Logging !!! Kali Linux Tutorials","og_description":"QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development.","og_url":"https:\/\/kalilinuxtutorials.com\/qlog\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-09-27T15:06:37+00:00","article_modified_time":"2021-09-27T15:06:42+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/qlog\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/qlog\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"QLOG : Windows Security Logging","datePublished":"2021-09-27T15:06:37+00:00","dateModified":"2021-09-27T15:06:42+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/qlog\/"},"wordCount":992,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","keywords":["QLOG","Security Logging","windows"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/qlog\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/qlog\/","url":"https:\/\/kalilinuxtutorials.com\/qlog\/","name":"QLOG : Windows Security Logging !!! Kali Linux Tutorials","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","datePublished":"2021-09-27T15:06:37+00:00","dateModified":"2021-09-27T15:06:42+00:00","description":"QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/qlog\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/qlog\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","width":"539","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-jew4CrdY_xM\/YUryYNyzLYI\/AAAAAAAAK6I\/aIBqAgr0Qewy7u56HRDQQLGZVATrsuQCwCLcBGAsYHQ\/s539\/event-1104%2B%25281%2529.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":37426,"url":"https:\/\/kalilinuxtutorials.com\/full-spectrum-event-tracing-for-windows-detection-in-the-kernel-against-rootkits\/","url_meta":{"origin":18645,"position":0},"title":"Full Spectrum Event Tracing For Windows Detection In The kernel Against Rootkits","author":"Varshini","date":"March 31, 2025","format":false,"excerpt":"Sanctum EDR demonstrates a multi-layered approach to detecting and preventing Event Tracing for Windows (ETW) tampering by rootkits, combining kernel-mode monitoring with user-space protections. This toolkit focuses on neutralizing advanced techniques used by malware like Remcos RAT and Lazarus Group's FudModule rootkit to blind security solutions. Key Functions Kernel Dispatch\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/JBDev-4.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/JBDev-4.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/JBDev-4.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/JBDev-4.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/JBDev-4.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/JBDev-4.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":11782,"url":"https:\/\/kalilinuxtutorials.com\/deepbluecli\/","url_meta":{"origin":18645,"position":1},"title":"DeepBlueCLI : A PowerShell Module For Threat Hunting Via Windows Event Logs","author":"R K","date":"November 10, 2020","format":false,"excerpt":"DeepBlueCLI is a PowerShell Module for Threat Hunting via Windows Event Logs. Usage .\\DeepBlue.ps1 <event log name> <evtx filename> See the Set-ExecutionPolicy Readme if you receive a 'running scripts is disabled on this system' error. Process local Windows security event log (PowerShell must be run as Administrator): .\\DeepBlue.ps1or:.\\DeepBlue.ps1 -log security\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":37850,"url":"https:\/\/kalilinuxtutorials.com\/log-analysis-fundamentals\/","url_meta":{"origin":18645,"position":2},"title":"Log Analysis Fundamentals","author":"0xSnow","date":"September 11, 2025","format":false,"excerpt":"Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and incident response. Logs provide timestamped records of system events, helping teams trace user actions, detect intrusions, troubleshoot issues, and meet compliance requirements. From application crashes to failed login attempts, every significant event leaves behind a\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"log analysis fundamentals","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":12060,"url":"https:\/\/kalilinuxtutorials.com\/evtmute\/","url_meta":{"origin":18645,"position":3},"title":"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging","author":"R K","date":"January 11, 2021","format":false,"excerpt":"EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging. Usage Grap the latest version from here. EvtMuteHook.dll contains the core functionality, once it is injected it will apply a temporary filter which will allow all\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27567,"url":"https:\/\/kalilinuxtutorials.com\/whids\/","url_meta":{"origin":18645,"position":4},"title":"Whids : Open Source EDR For Windows","author":"R K","date":"November 8, 2022","format":false,"excerpt":"Whids is a Open Source EDR For Windows with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules. What do you mean by \"artifact collection driven by detection\" ? It means that\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":4677,"url":"https:\/\/kalilinuxtutorials.com\/silketw-abstract-complexities-etw\/","url_meta":{"origin":18645,"position":5},"title":"SilkETW : Tool To Abstract Away The Complexities Of ETW","author":"R K","date":"April 19, 2019","format":false,"excerpt":"SilkETW is a flexible C# wrapper for ETW, it is meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While SilkETW has obvious defensive (and offensive) applications it is primarily a research tool in it's current state. For easy consumption,\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/18645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=18645"}],"version-history":[{"count":9,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/18645\/revisions"}],"predecessor-version":[{"id":18654,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/18645\/revisions\/18654"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/18655"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=18645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=18645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=18645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}