`dissect.target.plugins.os.windows.defender`#

Module Contents#

Classes#

`QuarantineEntry`
`QuarantineEntryResource`
`MicrosoftDefenderPlugin`	Plugin that parses artifacts created by Microsoft Defender.

Functions#

`parse_iso_datetime`	Parse ISO8601 serialized datetime with Z ending.
`filter_records`	Apply a filter on an Iterable of records, returning only records that have the given field value for the given
`rc4_crypt`	RC4 encrypt / decrypt using the Defender Quarantine RC4 Key.
`recover_quarantined_file_streams`	Recover the various data streams present in a quarantined file.

Attributes#

`DEFENDER_EVTX_FIELDS`
`DEFENDER_LOG_DIR`
`DEFENDER_LOG_FILENAME_GLOB`
`EVTX_PROVIDER_NAME`
`DEFENDER_QUARANTINE_DIR`
`DefenderLogRecord`
`DefenderFileQuarantineRecord`
`DefenderBehaviorQuarantineRecord`
`DEFENDER_QUARANTINE_RC4_KEY`
`defender_def`
`c_defender`
`STREAM_ID`
`STREAM_ATTRIBUTES`
`FIELD_IDENTIFIER`

dissect.target.plugins.os.windows.defender.DEFENDER_EVTX_FIELDS = [('uint32', 'EventID'), ('string', 'Provider_Name'), ('string', 'Action_ID'), ('string',...#

dissect.target.plugins.os.windows.defender.DEFENDER_LOG_DIR = 'sysvol/windows/system32/winevt/logs'#

dissect.target.plugins.os.windows.defender.DEFENDER_LOG_FILENAME_GLOB = 'Microsoft-Windows-Windows Defender*'#

dissect.target.plugins.os.windows.defender.EVTX_PROVIDER_NAME = 'Microsoft-Windows-Windows Defender'#

dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_DIR = 'sysvol/programdata/microsoft/windows defender/quarantine'#

dissect.target.plugins.os.windows.defender.DefenderLogRecord#

dissect.target.plugins.os.windows.defender.DefenderFileQuarantineRecord#

dissect.target.plugins.os.windows.defender.DefenderBehaviorQuarantineRecord#

dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_RC4_KEY = [30, 135, 120, 27, 141, 186, 168, 68, 206, 105, 112, 44, 12, 120, 183, 134, 163, 246, 35, 183,...#

dissect.target.plugins.os.windows.defender.defender_def = Multiline-String#

Show Value

"""
/* ======== Generic Windows ======== */
/* https://learn.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-win32_stream_id */

enum STREAM_ID {
    DATA                 = 0x00000001,
    EA_DATA              = 0x00000002,
    SECURITY_DATA        = 0x00000003,
    ALTERNATE_DATA       = 0x00000004,
    LINK                 = 0x00000005,
    PROPERTY_DATA        = 0x00000006,
    OBJECT_ID            = 0x00000007,
    REPARSE_DATA         = 0x00000008,
    SPARSE_BLOCK         = 0x00000009,
    TXFS_DATA            = 0x0000000A,
    GHOSTED_FILE_EXTENTS = 0x0000000B,
};

flag STREAM_ATTRIBUTES {
    STREAM_NORMAL_ATTRIBUTE                 = 0x00000000,
    STREAM_MODIFIED_WHEN_READ               = 0x00000001,
    STREAM_CONTAINS_SECURITY                = 0x00000002,
    STREAM_CONTAINS_PROPERTIES              = 0x00000004,
    STREAM_SPARSE_ATTRIBUTE                 = 0x00000008,
    STREAM_CONTAINS_GHOSTED_FILE_EXTENTS    = 0x00000010,
};

typedef struct _WIN32_STREAM_ID {
    STREAM_ID           StreamId;
    STREAM_ATTRIBUTES   StreamAttributes;
    QWORD               Size;
    DWORD               StreamNameSize;
    WCHAR               StreamName[StreamNameSize / 2];
} WIN32_STREAM_ID;

/* ======== Defender Specific ======== */

enum FIELD_IDENTIFIER : WORD {
    CQuaResDataID_File      = 0x02,
    CQuaResDataID_Registry  = 0x03,
    Flags                   = 0x0A,
    PhysicalPath            = 0x0C,
    DetectionContext        = 0x0D,
    Unknown                 = 0x0E,
    CreationTime            = 0x0F,
    LastAccessTime          = 0x10,
    LastWriteTime           = 0x11
};

enum FIELD_TYPE : WORD {
    STRING          = 0x1,
    WSTRING         = 0x2,
    DWORD           = 0x3,
    RESOURCE_DATA   = 0x4,
    BYTES           = 0x5,
    QWORD           = 0x6,
};

struct QuarantineEntryFileHeader {
    CHAR        MagicHeader[4];
    CHAR        Unknown[4];
    CHAR        _Padding[32];
    DWORD       Section1Size;
    DWORD       Section2Size;
    DWORD       Section1CrC;
    DWORD       Section2CrC;
    char        MagicFooter[4];
};

struct QuarantineEntrySection1 {
    CHAR    Id[16];
    CHAR    ScanId[16];
    QWORD   Timestamp;
    QWORD   ThreatId;
    DWORD   One;
    CHAR    DetectionName[];
};

struct QuarantineEntrySection2 {
    DWORD   EntryCount;
    DWORD   EntryOffsets[EntryCount];
};

struct QuarantineEntryResource {
    WCHAR   DetectionPath[];
    WORD    FieldCount;
    CHAR    DetectionType[];
};

struct QuarantineEntryResourceField {
    WORD        Size;
    WORD        Identifier:12;
    FIELD_TYPE  Type:4;
    CHAR        Data[Size];
};
"""

dissect.target.plugins.os.windows.defender.c_defender#

dissect.target.plugins.os.windows.defender.STREAM_ID#

dissect.target.plugins.os.windows.defender.STREAM_ATTRIBUTES#

dissect.target.plugins.os.windows.defender.FIELD_IDENTIFIER#

dissect.target.plugins.os.windows.defender.parse_iso_datetime(datetime_value: str) → datetime.datetime#: Parse ISO8601 serialized datetime with Z ending.

dissect.target.plugins.os.windows.defender.filter_records(records: Iterable, field_name: str, field_value: Any) → Iterator[DefenderLogRecord]#: Apply a filter on an Iterable of records, returning only records that have the given field value for the given field name.

dissect.target.plugins.os.windows.defender.rc4_crypt(data: bytes) → bytes#: RC4 encrypt / decrypt using the Defender Quarantine RC4 Key.

dissect.target.plugins.os.windows.defender.recover_quarantined_file_streams(fh: BinaryIO, filename: str) → Iterator[tuple[str, bytes]]#

Recover the various data streams present in a quarantined file.

Yields tuples of the output filename and the corresponding output data.

class dissect.target.plugins.os.windows.defender.QuarantineEntry(fh: BinaryIO)#

class dissect.target.plugins.os.windows.defender.QuarantineEntryResource(fh: BinaryIO)#

class dissect.target.plugins.os.windows.defender.MicrosoftDefenderPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin that parses artifacts created by Microsoft Defender.

This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.

__namespace__ = 'defender'#

check_compatible()#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

evtx() → Generator[flow.record.Record, None, None]#: Parse Microsoft Defender evtx log files

quarantine() → Iterator[Union[DefenderFileQuarantineRecord, DefenderBehaviorQuarantineRecord]]#

Parse the quarantine folder of Microsoft Defender for quarantine entry resources.

Quarantine entry resources contain metadata about detected threats that Microsoft Defender has placed in quarantine.

recover(output_dir: pathlib.Path) → None#

Recover files that have been placed into quarantine by Microsoft Defender.

Microsoft Defender RC4 encrypts the output of the ‘BackupRead’ function when it places a file into quarantine. This means multiple data streams can be contained in a single quarantined file, including zone identifier information.

get_quarantine_entries() → Iterator[QuarantineEntry]#: Yield Windows Defender quarantine entries.

dissect.target.plugins.os.windows.defender#

Module Contents#

Classes#

Functions#

Attributes#

`dissect.target.plugins.os.windows.defender`#