search

Windows Defender

LogoHow to Use MPLogs for Forensic Investigations | CrowdStrikeCrowdStrike.comchevron-right
LogoMy learnings on Microsoft Defender for Endpoint and ExclusionsMediumchevron-right

hashtag
What Is MPLog?

The Microsoft Protection Log, or MPLog, is a plain-text log file generated by Windows Defender or Microsoft Security Essentials for troubleshooting purposes.

hashtag
Forensic Value:

  • Process execution

  • Threats detected

  • Scan results and actions taken

  • Signature update versions

  • File existence

hashtag
File Location:

  • MPLogs

    • C:\ProgramData\Microsoft\Windows Defender\Support

  • Defender Registry:

    • HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

    • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

  • EVTX Defender Logs:

    • Microsoft-Windows-Windows Defender\Operational

    • Microsoft-Windows-Windows Defender\WHC

hashtag
Parse Data:

hashtag
Considerations:

hashtag
Example:

hashtag
MPLogs:

  • Find detections and scanning information.

  • SHA1 of file

hashtag
MPDetection Log:

  • Find Defender detections.

hashtag
Defender Registry:

  • Can look at paths and determine if defender is disabled.

hashtag
EVTX Defender Logs:

  • Operational can be used to discover Defender detections.

    • ID 1116 - Detected malware.

    • ID 1117 - Taken action against malware.

    • ID 5007 - Configuration has changed (exclusion added, defender disabled, etc).

hashtag
Analysis Tips:

hashtag
Anti-Forensics:

  • Wipe log files and registry locations.

Previous5156 Show App IP ConnectionsNextLOLBins

Last updated