dissect.target.plugins.os.windows.defender
#
Module Contents#
Classes#
Plugin that parses artifacts created by Microsoft Defender. |
Functions#
Parse ISO8601 serialized datetime with Z ending. |
|
Apply a filter on an Iterable of records, returning only records that have the given field value for the given |
|
RC4 encrypt / decrypt using the Defender Quarantine RC4 Key. |
|
Recover the various data streams present in a quarantined file. |
Attributes#
- dissect.target.plugins.os.windows.defender.DEFENDER_EVTX_FIELDS = [('uint32', 'EventID'), ('string', 'Provider_Name'), ('string', 'Action_ID'), ('string',...#
- dissect.target.plugins.os.windows.defender.DEFENDER_LOG_DIR = 'sysvol/windows/system32/winevt/logs'#
- dissect.target.plugins.os.windows.defender.DEFENDER_LOG_FILENAME_GLOB = 'Microsoft-Windows-Windows Defender*'#
- dissect.target.plugins.os.windows.defender.EVTX_PROVIDER_NAME = 'Microsoft-Windows-Windows Defender'#
- dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_DIR = 'sysvol/programdata/microsoft/windows defender/quarantine'#
- dissect.target.plugins.os.windows.defender.DEFENDER_KNOWN_DETECTION_TYPES = [b'internalbehavior', b'regkey', b'runkey']#
- dissect.target.plugins.os.windows.defender.DEFENDER_EXCLUSION_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions'#
- dissect.target.plugins.os.windows.defender.DefenderLogRecord#
- dissect.target.plugins.os.windows.defender.DefenderExclusionRecord#
- dissect.target.plugins.os.windows.defender.DefenderQuarantineRecord#
- dissect.target.plugins.os.windows.defender.DefenderFileQuarantineRecord#
- dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_RC4_KEY = [30, 135, 120, 27, 141, 186, 168, 68, 206, 105, 112, 44, 12, 120, 183, 134, 163, 246, 35, 183,...#
- dissect.target.plugins.os.windows.defender.defender_def = Multiline-String#
Show Value
""" /* ======== Generic Windows ======== */ /* https://learn.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-win32_stream_id */ enum STREAM_ID { DATA = 0x00000001, EA_DATA = 0x00000002, SECURITY_DATA = 0x00000003, ALTERNATE_DATA = 0x00000004, LINK = 0x00000005, PROPERTY_DATA = 0x00000006, OBJECT_ID = 0x00000007, REPARSE_DATA = 0x00000008, SPARSE_BLOCK = 0x00000009, TXFS_DATA = 0x0000000A, GHOSTED_FILE_EXTENTS = 0x0000000B, }; flag STREAM_ATTRIBUTES { STREAM_NORMAL_ATTRIBUTE = 0x00000000, STREAM_MODIFIED_WHEN_READ = 0x00000001, STREAM_CONTAINS_SECURITY = 0x00000002, STREAM_CONTAINS_PROPERTIES = 0x00000004, STREAM_SPARSE_ATTRIBUTE = 0x00000008, STREAM_CONTAINS_GHOSTED_FILE_EXTENTS = 0x00000010, }; typedef struct _WIN32_STREAM_ID { STREAM_ID StreamId; STREAM_ATTRIBUTES StreamAttributes; QWORD Size; DWORD StreamNameSize; WCHAR StreamName[StreamNameSize / 2]; } WIN32_STREAM_ID; /* ======== Defender Specific ======== */ enum FIELD_IDENTIFIER : WORD { CQuaResDataID_File = 0x02, CQuaResDataID_Registry = 0x03, Flags = 0x0A, PhysicalPath = 0x0C, DetectionContext = 0x0D, Unknown = 0x0E, CreationTime = 0x0F, LastAccessTime = 0x10, LastWriteTime = 0x11 }; enum FIELD_TYPE : WORD { STRING = 0x1, WSTRING = 0x2, DWORD = 0x3, RESOURCE_DATA = 0x4, BYTES = 0x5, QWORD = 0x6, }; struct QuarantineEntryFileHeader { CHAR MagicHeader[4]; CHAR Unknown[4]; CHAR _Padding[32]; DWORD Section1Size; DWORD Section2Size; DWORD Section1CrC; DWORD Section2CrC; char MagicFooter[4]; }; struct QuarantineEntrySection1 { CHAR Id[16]; CHAR ScanId[16]; QWORD Timestamp; QWORD ThreatId; DWORD One; CHAR DetectionName[]; }; struct QuarantineEntrySection2 { DWORD EntryCount; DWORD EntryOffsets[EntryCount]; }; struct QuarantineEntryResource { WCHAR DetectionPath[]; WORD FieldCount; CHAR DetectionType[]; }; struct QuarantineEntryResourceField { WORD Size; WORD Identifier:12; FIELD_TYPE Type:4; CHAR Data[Size]; }; """
- dissect.target.plugins.os.windows.defender.c_defender#
- dissect.target.plugins.os.windows.defender.STREAM_ID#
- dissect.target.plugins.os.windows.defender.STREAM_ATTRIBUTES#
- dissect.target.plugins.os.windows.defender.FIELD_IDENTIFIER#
- dissect.target.plugins.os.windows.defender.parse_iso_datetime(datetime_value: str) datetime.datetime #
Parse ISO8601 serialized datetime with Z ending.
- dissect.target.plugins.os.windows.defender.filter_records(records: Iterable, field_name: str, field_value: Any) Iterator[DefenderLogRecord] #
Apply a filter on an Iterable of records, returning only records that have the given field value for the given field name.
- dissect.target.plugins.os.windows.defender.rc4_crypt(data: bytes) bytes #
RC4 encrypt / decrypt using the Defender Quarantine RC4 Key.
- dissect.target.plugins.os.windows.defender.recover_quarantined_file_streams(fh: BinaryIO, filename: str) Iterator[tuple[str, bytes]] #
Recover the various data streams present in a quarantined file.
Yields tuples of the output filename and the corresponding output data.
- class dissect.target.plugins.os.windows.defender.QuarantineEntry(fh: BinaryIO)#
- class dissect.target.plugins.os.windows.defender.QuarantineEntryResource(fh: BinaryIO)#
- class dissect.target.plugins.os.windows.defender.MicrosoftDefenderPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.Plugin
Plugin that parses artifacts created by Microsoft Defender.
This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.
- __namespace__ = 'defender'#
- check_compatible() None #
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- evtx() Generator[flow.record.Record, None, None] #
Parse Microsoft Defender evtx log files
- quarantine() Iterator[DefenderQuarantineRecord | DefenderFileQuarantineRecord] #
Parse the quarantine folder of Microsoft Defender for quarantine entry resources.
Quarantine entry resources contain metadata about detected threats that Microsoft Defender has placed in quarantine.
- exclusions() Iterator[DefenderExclusionRecord] #
Yield Microsoft Defender exclusions from the Registry.
- recover(output_dir: pathlib.Path) None #
Recover files that have been placed into quarantine by Microsoft Defender.
Microsoft Defender RC4 encrypts the output of the ‘BackupRead’ function when it places a file into quarantine. This means multiple data streams can be contained in a single quarantined file, including zone identifier information.
- get_quarantine_entries() Iterator[QuarantineEntry] #
Yield Windows Defender quarantine entries.