defender.recover#
$ target-query <path/to/target> -f defender.recover
Module |
|
Output |
|
Module documentation
Plugin that parses artifacts created by Microsoft Defender.
This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.
Function documentation
Recover files that have been placed into quarantine by Microsoft Defender.
Microsoft Defender RC4 encrypts the output of the ‘BackupRead’ function when it places a file into quarantine. This means multiple data streams can be contained in a single quarantined file, including zone identifier information.