:py:mod:`dissect.target.plugins.os.windows.defender` ==================================================== .. py:module:: dissect.target.plugins.os.windows.defender Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.defender.QuarantineEntry dissect.target.plugins.os.windows.defender.QuarantineEntryResource dissect.target.plugins.os.windows.defender.MicrosoftDefenderPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.defender.parse_iso_datetime dissect.target.plugins.os.windows.defender.filter_records dissect.target.plugins.os.windows.defender.rc4_crypt dissect.target.plugins.os.windows.defender.recover_quarantined_file_streams Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.defender.DEFENDER_EVTX_FIELDS dissect.target.plugins.os.windows.defender.DEFENDER_LOG_DIR dissect.target.plugins.os.windows.defender.DEFENDER_LOG_FILENAME_GLOB dissect.target.plugins.os.windows.defender.EVTX_PROVIDER_NAME dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_DIR dissect.target.plugins.os.windows.defender.DEFENDER_KNOWN_DETECTION_TYPES dissect.target.plugins.os.windows.defender.DEFENDER_EXCLUSION_KEY dissect.target.plugins.os.windows.defender.DefenderLogRecord dissect.target.plugins.os.windows.defender.DefenderExclusionRecord dissect.target.plugins.os.windows.defender.DefenderQuarantineRecord dissect.target.plugins.os.windows.defender.DefenderFileQuarantineRecord dissect.target.plugins.os.windows.defender.DEFENDER_QUARANTINE_RC4_KEY dissect.target.plugins.os.windows.defender.defender_def dissect.target.plugins.os.windows.defender.c_defender dissect.target.plugins.os.windows.defender.STREAM_ID dissect.target.plugins.os.windows.defender.STREAM_ATTRIBUTES dissect.target.plugins.os.windows.defender.FIELD_IDENTIFIER .. py:data:: DEFENDER_EVTX_FIELDS :value: [('datetime', 'ts'), ('uint32', 'EventID'), ('string', 'Provider_Name'), ('string',... .. py:data:: DEFENDER_LOG_DIR :value: 'sysvol/windows/system32/winevt/logs' .. py:data:: DEFENDER_LOG_FILENAME_GLOB :value: 'Microsoft-Windows-Windows Defender*' .. py:data:: EVTX_PROVIDER_NAME :value: 'Microsoft-Windows-Windows Defender' .. py:data:: DEFENDER_QUARANTINE_DIR :value: 'sysvol/programdata/microsoft/windows defender/quarantine' .. py:data:: DEFENDER_KNOWN_DETECTION_TYPES :value: [b'internalbehavior', b'regkey', b'runkey'] .. py:data:: DEFENDER_EXCLUSION_KEY :value: 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions' .. py:data:: DefenderLogRecord .. py:data:: DefenderExclusionRecord .. py:data:: DefenderQuarantineRecord .. py:data:: DefenderFileQuarantineRecord .. py:data:: DEFENDER_QUARANTINE_RC4_KEY :value: [30, 135, 120, 27, 141, 186, 168, 68, 206, 105, 112, 44, 12, 120, 183, 134, 163, 246, 35, 183,... .. py:data:: defender_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ /* ======== Generic Windows ======== */ /* https://learn.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-win32_stream_id */ enum STREAM_ID { DATA = 0x00000001, EA_DATA = 0x00000002, SECURITY_DATA = 0x00000003, ALTERNATE_DATA = 0x00000004, LINK = 0x00000005, PROPERTY_DATA = 0x00000006, OBJECT_ID = 0x00000007, REPARSE_DATA = 0x00000008, SPARSE_BLOCK = 0x00000009, TXFS_DATA = 0x0000000A, GHOSTED_FILE_EXTENTS = 0x0000000B, }; flag STREAM_ATTRIBUTES { STREAM_NORMAL_ATTRIBUTE = 0x00000000, STREAM_MODIFIED_WHEN_READ = 0x00000001, STREAM_CONTAINS_SECURITY = 0x00000002, STREAM_CONTAINS_PROPERTIES = 0x00000004, STREAM_SPARSE_ATTRIBUTE = 0x00000008, STREAM_CONTAINS_GHOSTED_FILE_EXTENTS = 0x00000010, }; typedef struct _WIN32_STREAM_ID { STREAM_ID StreamId; STREAM_ATTRIBUTES StreamAttributes; QWORD Size; DWORD StreamNameSize; WCHAR StreamName[StreamNameSize / 2]; } WIN32_STREAM_ID; /* ======== Defender Specific ======== */ enum FIELD_IDENTIFIER : WORD { CQuaResDataID_File = 0x02, CQuaResDataID_Registry = 0x03, Flags = 0x0A, PhysicalPath = 0x0C, DetectionContext = 0x0D, Unknown = 0x0E, CreationTime = 0x0F, LastAccessTime = 0x10, LastWriteTime = 0x11 }; enum FIELD_TYPE : WORD { STRING = 0x1, WSTRING = 0x2, DWORD = 0x3, RESOURCE_DATA = 0x4, BYTES = 0x5, QWORD = 0x6, }; struct QuarantineEntryFileHeader { CHAR MagicHeader[4]; CHAR Unknown[4]; CHAR _Padding[32]; DWORD Section1Size; DWORD Section2Size; DWORD Section1CRC; DWORD Section2CRC; CHAR MagicFooter[4]; }; struct QuarantineEntrySection1 { CHAR Id[16]; CHAR ScanId[16]; QWORD Timestamp; QWORD ThreatId; DWORD One; CHAR DetectionName[]; }; struct QuarantineEntrySection2 { DWORD EntryCount; DWORD EntryOffsets[EntryCount]; }; struct QuarantineEntryResource { WCHAR DetectionPath[]; WORD FieldCount; CHAR DetectionType[]; }; struct QuarantineEntryResourceField { WORD Size; WORD Identifier:12; FIELD_TYPE Type:4; CHAR Data[Size]; }; """ .. raw:: html
.. py:data:: c_defender .. py:data:: STREAM_ID .. py:data:: STREAM_ATTRIBUTES .. py:data:: FIELD_IDENTIFIER .. py:function:: parse_iso_datetime(datetime_value: str) -> datetime.datetime Parse ISO8601 serialized datetime with `Z` ending. .. py:function:: filter_records(records: Iterable, field_name: str, field_value: Any) -> Iterator[DefenderLogRecord] Apply a filter on an Iterable of records, returning only records that have the given field value for the given field name. .. py:function:: rc4_crypt(data: bytes) -> bytes RC4 encrypt / decrypt using the Defender Quarantine RC4 Key. .. py:function:: recover_quarantined_file_streams(fh: BinaryIO, filename: str) -> Iterator[tuple[str, bytes]] Recover the various data streams present in a quarantined file. Yields tuples of the output filename and the corresponding output data. .. py:class:: QuarantineEntry(fh: BinaryIO) .. py:class:: QuarantineEntryResource(fh: BinaryIO) .. py:class:: MicrosoftDefenderPlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin that parses artifacts created by Microsoft Defender. This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder. .. py:attribute:: __namespace__ :value: 'defender' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: evtx() -> Generator[flow.record.Record, None, None] Parse Microsoft Defender evtx log files .. py:method:: quarantine() -> Iterator[Union[DefenderQuarantineRecord, DefenderFileQuarantineRecord]] Parse the quarantine folder of Microsoft Defender for quarantine entry resources. Quarantine entry resources contain metadata about detected threats that Microsoft Defender has placed in quarantine. .. py:method:: exclusions() -> Iterator[DefenderExclusionRecord] Yield Microsoft Defender exclusions from the Registry. .. py:method:: recover(output_dir: pathlib.Path) -> None Recover files that have been placed into quarantine by Microsoft Defender. Microsoft Defender RC4 encrypts the output of the 'BackupRead' function when it places a file into quarantine. This means multiple data streams can be contained in a single quarantined file, including zone identifier information. .. py:method:: get_quarantine_entries() -> Iterator[QuarantineEntry] Yield Windows Defender quarantine entries.