TL;DR; Today, there is no standard method to deterministically fingerprint a security event, instead we are using file hashes to fingerprint observables, like files. While file hashes are very useful from an IOC perspective, they lack in providing any contextual event information, making life harder for detection engineers. TTPHash to the rescue While working on QLOG we developed the idea to create a fingerprint method for entire OS security events providing a more reliable and a less false positive prone way to do detection engineering in large scale networks. We decided to implement a PoC for TTPHash in QLOG for process create events to have a working piece of software to experiment with. Anatomy of a TTPHash Technically TTPHash is a SHA 256 Hash generated out of stable parts of a logged security event on Windows systems. It aims to fingerprint an entire security event including contextual information rather than just fingerprinting PE files or binaries based on their ha
What is Qlog QLOG provides lightweigth userland logging of process create events on Windows written in C#. It's under development and currently in experimental state. QLOG uses ETW to collect telemetry, it doesn’t use API hooks and it doesn’t require a driver to be installed on the target system, Currently QLOG supports “process create” events, but other enriched events may follow soon. QLOG runs as a Windows Services, but can also run in console mode, if you want to output to console directly. I've started QLOG to get a better understanding of Windows ETW and some Windows Eventlog APIs. QLOG is a research experiment, please don't use it on production systems. Update July, 2022 We started QLOG as an experiment to learn more about Windows ETW. QLOG provides enriched Logging for process creation events on Windows. We have stopped development of QLOG because in the meantime free tools were published which use ETW for telemetry and do a way better job than QLOG. Curious? Hav