dissect.target.plugins.os.windows.defender#

Module Contents#

Classes#

QuarantineEntry

QuarantineEntryResource

MicrosoftDefenderPlugin

Plugin that parses artifacts created by Microsoft Defender.

Functions#

parse_iso_datetime

Parse ISO8601 serialized datetime with Z ending.

filter_records

Apply a filter on an Iterable of records, returning only records that have the given field value for the given

rc4_crypt

RC4 encrypt / decrypt using the Defender Quarantine RC4 Key.

recover_quarantined_file_streams

Recover the various data streams present in a quarantined file.

Attributes#

dissect.target.plugins.os.windows.defender.DEFENDER_EVTX_FIELDS = [('datetime', 'ts'), ('uint32', 'EventID'), ('string', 'Provider_Name'), ('string',...#
dissect.target.plugins.os.windows.defender.DEFENDER_LOG_DIR = 'sysvol/windows/system32/winevt/logs'#
dissect.target.plugins.os.windows.defender.DEFENDER_LOG_FILENAME_GLOB = 'Microsoft-Windows-Windows Defender*'#
dissect.target.plugins.os.windows.defender.EVTX_PROVIDER_NAME = 'Microsoft-Windows-Windows Defender'#
dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_DIR = 'sysvol/programdata/microsoft/windows defender/quarantine'#
dissect.target.plugins.os.windows.defender.DEFENDER_KNOWN_DETECTION_TYPES = [b'internalbehavior', b'regkey', b'runkey']#
dissect.target.plugins.os.windows.defender.DEFENDER_EXCLUSION_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions'#
dissect.target.plugins.os.windows.defender.DefenderLogRecord#
dissect.target.plugins.os.windows.defender.DefenderExclusionRecord#
dissect.target.plugins.os.windows.defender.DefenderQuarantineRecord#
dissect.target.plugins.os.windows.defender.DefenderFileQuarantineRecord#
dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_RC4_KEY = [30, 135, 120, 27, 141, 186, 168, 68, 206, 105, 112, 44, 12, 120, 183, 134, 163, 246, 35, 183,...#
dissect.target.plugins.os.windows.defender.defender_def = Multiline-String#
Show Value
"""
/* ======== Generic Windows ======== */
/* https://learn.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-win32_stream_id */

enum STREAM_ID {
    DATA                 = 0x00000001,
    EA_DATA              = 0x00000002,
    SECURITY_DATA        = 0x00000003,
    ALTERNATE_DATA       = 0x00000004,
    LINK                 = 0x00000005,
    PROPERTY_DATA        = 0x00000006,
    OBJECT_ID            = 0x00000007,
    REPARSE_DATA         = 0x00000008,
    SPARSE_BLOCK         = 0x00000009,
    TXFS_DATA            = 0x0000000A,
    GHOSTED_FILE_EXTENTS = 0x0000000B,
};

flag STREAM_ATTRIBUTES {
    STREAM_NORMAL_ATTRIBUTE                 = 0x00000000,
    STREAM_MODIFIED_WHEN_READ               = 0x00000001,
    STREAM_CONTAINS_SECURITY                = 0x00000002,
    STREAM_CONTAINS_PROPERTIES              = 0x00000004,
    STREAM_SPARSE_ATTRIBUTE                 = 0x00000008,
    STREAM_CONTAINS_GHOSTED_FILE_EXTENTS    = 0x00000010,
};

typedef struct _WIN32_STREAM_ID {
    STREAM_ID           StreamId;
    STREAM_ATTRIBUTES   StreamAttributes;
    QWORD               Size;
    DWORD               StreamNameSize;
    WCHAR               StreamName[StreamNameSize / 2];
} WIN32_STREAM_ID;

/* ======== Defender Specific ======== */

enum FIELD_IDENTIFIER : WORD {
    CQuaResDataID_File      = 0x02,
    CQuaResDataID_Registry  = 0x03,
    Flags                   = 0x0A,
    PhysicalPath            = 0x0C,
    DetectionContext        = 0x0D,
    Unknown                 = 0x0E,
    CreationTime            = 0x0F,
    LastAccessTime          = 0x10,
    LastWriteTime           = 0x11
};

enum FIELD_TYPE : WORD {
    STRING          = 0x1,
    WSTRING         = 0x2,
    DWORD           = 0x3,
    RESOURCE_DATA   = 0x4,
    BYTES           = 0x5,
    QWORD           = 0x6,
};

struct QuarantineEntryFileHeader {
    CHAR        MagicHeader[4];
    CHAR        Unknown[4];
    CHAR        _Padding[32];
    DWORD       Section1Size;
    DWORD       Section2Size;
    DWORD       Section1CRC;
    DWORD       Section2CRC;
    CHAR        MagicFooter[4];
};

struct QuarantineEntrySection1 {
    CHAR    Id[16];
    CHAR    ScanId[16];
    QWORD   Timestamp;
    QWORD   ThreatId;
    DWORD   One;
    CHAR    DetectionName[];
};

struct QuarantineEntrySection2 {
    DWORD   EntryCount;
    DWORD   EntryOffsets[EntryCount];
};

struct QuarantineEntryResource {
    WCHAR   DetectionPath[];
    WORD    FieldCount;
    CHAR    DetectionType[];
};

struct QuarantineEntryResourceField {
    WORD        Size;
    WORD        Identifier:12;
    FIELD_TYPE  Type:4;
    CHAR        Data[Size];
};
"""
dissect.target.plugins.os.windows.defender.c_defender#
dissect.target.plugins.os.windows.defender.STREAM_ID#
dissect.target.plugins.os.windows.defender.STREAM_ATTRIBUTES#
dissect.target.plugins.os.windows.defender.FIELD_IDENTIFIER#
dissect.target.plugins.os.windows.defender.parse_iso_datetime(datetime_value: str) datetime.datetime#

Parse ISO8601 serialized datetime with Z ending.

dissect.target.plugins.os.windows.defender.filter_records(records: Iterable, field_name: str, field_value: Any) Iterator[DefenderLogRecord]#

Apply a filter on an Iterable of records, returning only records that have the given field value for the given field name.

dissect.target.plugins.os.windows.defender.rc4_crypt(data: bytes) bytes#

RC4 encrypt / decrypt using the Defender Quarantine RC4 Key.

dissect.target.plugins.os.windows.defender.recover_quarantined_file_streams(fh: BinaryIO, filename: str) Iterator[tuple[str, bytes]]#

Recover the various data streams present in a quarantined file.

Yields tuples of the output filename and the corresponding output data.

class dissect.target.plugins.os.windows.defender.QuarantineEntry(fh: BinaryIO)#
class dissect.target.plugins.os.windows.defender.QuarantineEntryResource(fh: BinaryIO)#
class dissect.target.plugins.os.windows.defender.MicrosoftDefenderPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin that parses artifacts created by Microsoft Defender.

This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.

__namespace__ = 'defender'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

evtx() Generator[flow.record.Record, None, None]#

Parse Microsoft Defender evtx log files

quarantine() Iterator[DefenderQuarantineRecord | DefenderFileQuarantineRecord]#

Parse the quarantine folder of Microsoft Defender for quarantine entry resources.

Quarantine entry resources contain metadata about detected threats that Microsoft Defender has placed in quarantine.

exclusions() Iterator[DefenderExclusionRecord]#

Yield Microsoft Defender exclusions from the Registry.

recover(output_dir: pathlib.Path) None#

Recover files that have been placed into quarantine by Microsoft Defender.

Microsoft Defender RC4 encrypts the output of the ‘BackupRead’ function when it places a file into quarantine. This means multiple data streams can be contained in a single quarantined file, including zone identifier information.

get_quarantine_entries() Iterator[QuarantineEntry]#

Yield Windows Defender quarantine entries.