Windows Defender

How to Use MPLogs for Forensic Investigations | CrowdStrikecrowdstrike.com

My learnings on Microsoft Defender for Endpoint and ExclusionsCodeX

What Is MPLog?

The Microsoft Protection Log, or MPLog, is a plain-text log file generated by Windows Defender or Microsoft Security Essentials for troubleshooting purposes.

Forensic Value:

Process execution
Threats detected
Scan results and actions taken
Signature update versions
File existence

File Location:

MPLogs
- C:\ProgramData\Microsoft\Windows Defender\Support
Defender Registry:
- HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
EVTX Defender Logs:
- Microsoft-Windows-Windows Defender\Operational
- Microsoft-Windows-Windows Defender\WHC

Parse Data:

Considerations:

Example:

MPLogs:

Find detections and scanning information.
SHA1 of file

DETECTION_CLEANEVENT MPSOURCE_REALTIME MP_THREAT_ACTION_QUARANTINE 0x80508023 Backdoor:Win64/CobaltStrike.NP!dha file:\\DC01\ADMIN$\8fe9c39.exe

MPDetection Log:

Find Defender detections.

DETECTION Backdoor:Win64/CobaltStrike.NP!dha file:\\DC01\ADMIN$\8fe9c39.exe

Defender Registry:

Can look at paths and determine if defender is disabled.

EVTX Defender Logs:

Operational can be used to discover Defender detections.
- ID 1116 - Detected malware.
- ID 1117 - Taken action against malware.
- ID 5007 - Configuration has changed (exclusion added, defender disabled, etc).

Analysis Tips:

Anti-Forensics:

Wipe log files and registry locations.

Previous5156 Show App IP Connections NextLOLBins

Last updated 1 year ago