-
Notifications
You must be signed in to change notification settings - Fork 189
/
WindowsDefender.tkape
57 lines (56 loc) · 1.96 KB
/
WindowsDefender.tkape
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Description: Windows Defender Data
Author: Drew Ervin
Version: 1.0
Id: 061aa929-292b-4d7f-a4af-a3fe2673a3e5
RecreateDirectories: true
Targets:
-
Name: Windows Defender Logs
Category: Antivirus
Path: C:\ProgramData\Microsoft\Microsoft AntiMalware\Support\
Recursive: true
-
Name: Windows Defender Event Logs
Category: EventLogs
Path: C:\Windows\System32\winevt\Logs\
FileMask: Microsoft-Windows-Windows Defender*.evtx
-
Name: Windows Defender Event Logs
Category: EventLogs
Path: C:\Windows.old\Windows\System32\winevt\Logs\
FileMask: Microsoft-Windows-Windows Defender*.evtx
-
Name: Windows Defender Logs
Category: Antivirus
Path: C:\ProgramData\Microsoft\Windows Defender\Support\
Recursive: true
-
Name: Windows Defender Logs
Category: Antivirus
Path: C:\Windows\Temp\
FileMask: MpCmdRun.log
-
Name: Windows Defender Logs
Category: Antivirus
Path: C:\Windows.old\Windows\Temp\
FileMask: MpCmdRun.log
-
Name: DetectionHistory
Category: Antivirus
Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\
Recursive: true
-
Name: Windows Defender Quarantine
Category: Antivirus
Path: C:\ProgramData\Microsoft\Windows Defender\Quarantine\
Recursive: true
-
Name: Windows Defender Detections.log
Category: Antivirus
Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\
FileMask: Detections.log
# Documentation
# https://knez.github.io/posts/how-to-extract-quarantine-files-from-windows-defender/
# https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/
# https://github.com/jklepsercyber/defender-detectionhistory-parser/blob/main/README.md
# https://forensafe.com/blogs/windows_defender.html