..
    generated, remove this comment to keep this file

``defender.mpcmdrun``
=====================

.. code-block:: console

    $ target-query <path/to/target> -f defender.mpcmdrun


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``dissect.target.plugins.os.windows.defender._plugin.MicrosoftDefenderPlugin``
    * - Output
      - ``records``

**Module documentation**

Plugin that parses artifacts created by Microsoft Defender.

This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.

**Function documentation**

Return entries in Defender ``MpCmdRun.log`` files from ``MpCmdRun.exe`` invocations.

Entries always start with the used command line, and often contains a start time. The start time is omitted
in some instances.

References:
    - https://learn.microsoft.com/defender-endpoint/command-line-arguments-microsoft-defender-antivirus
    - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun
    - https://itm4n.github.io/cve-2020-1170-windows-defender-eop