Windows Defender

How to Use MPLogs for Forensic Investigations | CrowdStrikecrowdstrike.com

My learnings on Microsoft Defender for Endpoint and ExclusionsCodeX

What Is MPLog?

The Microsoft Protection Log, or MPLog, is a plain-text log file generated by Windows Defender or Microsoft Security Essentials for troubleshooting purposes.

Forensic Value:

• Process execution

• Threats detected

• Scan results and actions taken

• Signature update versions

• File existence

File Location:

• MPLogs

  • C:\ProgramData\Microsoft\Windows Defender\Support

• Defender Registry:

  • HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

• EVTX Defender Logs:

  • Microsoft-Windows-Windows Defender\Operational

  • Microsoft-Windows-Windows Defender\WHC

Offline System

Live System

Parse Data:

Considerations:

Example:

MPLogs:

• Find detections and scanning information.

• SHA1 of file

DETECTION_CLEANEVENT MPSOURCE_REALTIME MP_THREAT_ACTION_QUARANTINE 0x80508023 Backdoor:Win64/CobaltStrike.NP!dha file:\\DC01\ADMIN$\8fe9c39.exe

MPDetection Log:

• Find Defender detections.

DETECTION Backdoor:Win64/CobaltStrike.NP!dha file:\\DC01\ADMIN$\8fe9c39.exe

Defender Registry:

• Can look at paths and determine if defender is disabled.

EVTX Defender Logs:

• Operational can be used to discover Defender detections.

  • ID 1116 - Detected malware.

  • ID 1117 - Taken action against malware.

  • ID 5007 - Configuration has changed (exclusion added, defender disabled, etc).

Analysis Tips:

Anti-Forensics:

• Wipe log files and registry locations.