defender.mpcmdrun

$ target-query <path/to/target> -f defender.mpcmdrun

Details

Module	dissect.target.plugins.os.windows.defender._plugin.MicrosoftDefenderPlugin
Output	records

Module documentation

Plugin that parses artifacts created by Microsoft Defender.

This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.

Function documentation

Return entries in Defender MpCmdRun.log files from MpCmdRun.exe invocations.

Entries always start with the used command line, and often contains a start time. The start time is omitted in some instances.

References:

• https://learn.microsoft.com/defender-endpoint/command-line-arguments-microsoft-defender-antivirus

• https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun

• https://itm4n.github.io/cve-2020-1170-windows-defender-eop