defender.mplog

$ target-query <path/to/target> -f defender.mplog

Details

Module	dissect.target.plugins.os.windows.defender._plugin.MicrosoftDefenderPlugin
Output	records

Module documentation

Plugin that parses artifacts created by Microsoft Defender.

This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.

Function documentation

Return the contents of the Defender MPLog file.

References:

• https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/

• https://www.intrinsec.com/hunt-mplogs/

• https://github.com/Intrinsec/mplog_parser