Windows Defender
What Is MPLog?
The Microsoft Protection Log, or MPLog, is a plain-text log file generated by Windows Defender or Microsoft Security Essentials for troubleshooting purposes.
Forensic Value:
Process execution
Threats detected
Scan results and actions taken
Signature update versions
File existence
File Location:
MPLogs
C:\ProgramData\Microsoft\Windows Defender\Support
Defender Registry:
HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
EVTX Defender Logs:
Microsoft-Windows-Windows Defender\Operational
Microsoft-Windows-Windows Defender\WHC
Parse Data:
Considerations:
Example:
MPLogs:
Find detections and scanning information.
SHA1 of file

DETECTION_CLEANEVENT MPSOURCE_REALTIME MP_THREAT_ACTION_QUARANTINE 0x80508023 Backdoor:Win64/CobaltStrike.NP!dha file:\\DC01\ADMIN$\8fe9c39.exe
MPDetection Log:
Find Defender detections.

DETECTION Backdoor:Win64/CobaltStrike.NP!dha file:\\DC01\ADMIN$\8fe9c39.exe
Defender Registry:
Can look at paths and determine if defender is disabled.

EVTX Defender Logs:
Operational can be used to discover Defender detections.
ID 1116 - Detected malware.
ID 1117 - Taken action against malware.
ID 5007 - Configuration has changed (exclusion added, defender disabled, etc).

Analysis Tips:
Anti-Forensics:
Wipe log files and registry locations.
Last updated