A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.

Overview

The files parsed by this application may be found on any Windows system, if they exist, under [root]\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory[numbered folder][File GUID]

NOTES

  • The file header should be of the form: b'0800000008', or else it is not a valid DetectionHistory file.

  • Immediately following the file header and before the first mention of "Magic Version", the GUID of the file is given in Big-Endian(?) representation, capped off by a b'24' at the end, signaling the end of the GUID and beginning of the DetectionHistory data.

  • ThreatTrackingStartTime and all other timestamps are in FILETIME structure (UTC)

You might also like...
Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a local folder

Ingestinator Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a

Convert a .vcf file to 'aa_table.tsv', including depth & alt frequency info

Produce an 'amino acid table' file from a vcf, including depth and alt frequency info.

Generating rent availability info from Effort rent

Rent-info Generating rent availability info from Effort rent Pre-Installation Latest version of python Pip module json, os, requests, datetime, time i

SimBiber - A tool for simplifying bibtex with official info

SimBiber: A tool for simplifying bibtex with official info. We often need to sim

GDIT: Geometry Dash Info Tool

GDIT: Geometry Dash Info Tool This is the first large script that allows you to quickly get information from the Geometry Dash server

A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars #poweredbySUSE
A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars #poweredbySUSE

SUSE-udacity-cloud-native-scholarship A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars

This program generates automatically new folders containing old version of program

Automated Folder Versions Generator by Sergiy Grimoldi - V.0.0.2 This program generates automatically new folders containing old version of something

:snake: Complete C99 parser in pure Python

pycparser v2.20 Contents 1 Introduction 1.1 What is pycparser? 1.2 What is it good for? 1.3 Which version of C does pycparser support? 1.4 What gramma

A Gura parser implementation for Python

Gura parser This repository contains the implementation of a Gura format parser in Python. Installation pip install gura-parser Usage import gura gur

Comments
  • Find it frustrating that the documentation doesn't give a single example of a minimal command to try

    Find it frustrating that the documentation doesn't give a single example of a minimal command to try

    Based on reading the readme along with the help message that prints when I try to run the exe, I imagine the usage would be something like:

    ./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\' -r -o './results.txt'

    ...if I just want to recursively parse any files in the default directory. But rather, I just get a somewhat unhelpful error message:

    usage: dhparser.exe [-h] -f FILE [-g] -o OUTPUT [-r] [-s] [-v]
    dhparser.exe: error: the following arguments are required: -o/--output
    

    However, I've included the options. I just clearly don't understand how to correctly use them. Maybe I missed something obvious in the documentation, but either way I think it would be better practice to have at least one example of a command to try out the tool.

    Edit: That said, thanks for contributing your time toward an open source tool.

    opened by jt0dd 5
  • Create Velociraptor Artifact DefenderDHParser.yaml

    Create Velociraptor Artifact DefenderDHParser.yaml

    This Velociraptor artifact leverages Windows Defender DetectionHistory tool to parse and return the parameters of Windows Defender detections contained in Detection History files.

    opened by eduardomcm 1
  • ERROR: ||[Errno 21] Is a directory

    ERROR: ||[Errno 21] Is a directory

    More detail :'/'|| caught in /. Moving on to next file... 1 of 1 DetectionHistory files found were successfully parsed, with output written to "op.txt" in 0.023249847 seconds.

    I am getting this error when I try to run the script python3 dhparser.py -f /home/kali/Desktop/0.exe.zip -o op.txt even the output file is not generated

    bug 
    opened by v3daxt 1
  • Please double check your research findings

    Please double check your research findings

    From README

    The creation of these files is an after-product of Windows Defender's real-time/cloud-delivered protection(RTP) blocking threats such as Potentially Unwanted Applications (PUAs), viruses, worms, trojans, etc.

    The files appear to be generated even with cloud-delivered protection turned off.

    The file begins with a header, 0x0800000008, taking up the first 5 bytes in every known scenario

    There are files under the MputHistory directory that start with the same 5 bytes that contain different information. So it does not look like to be a "signature" (as in something that uniquely identifies the DetectionHistory files)

    opened by joachimmetz 3
Releases(v1.0.1)
  • v1.0.1(Jan 26, 2022)

  • v1.0(Jan 12, 2022)

    Official release of the DetectionHistory Parser, featuring documentation on a brand new artifact, fleshed out features, and multiple options to tailor the experience.

    Source code(tar.gz)
    Source code(zip)
Owner
Jordan Klepser
Digital Forensics Analyst, Threat Hunter, Machine Learning Enthusiast, Factoid Purveyor
Jordan Klepser
A test repository to build a python package and publish the package to Artifact Registry using GCB

A test repository to build a python package and publish the package to Artifact Registry using GCB. Then have the package be a dependency in a GCF function.

null 1 Feb 9, 2022
Py-Parser est un parser de code python en python encore en plien dévlopement.

PY - PARSER Py-Parser est un parser de code python en python encore en plien dévlopement. Une fois achevé, il servira a de nombreux projets comme glad

pf4 3 Feb 21, 2022
A Linux program to create a Windows USB stick installer from a real Windows DVD or image.

WoeUSB-ng A Linux program to create a Windows USB stick installer from a real Windows DVD or image. This package contains two programs: woeusb: A comm

Longinus 1 Nov 19, 2021
A Python utility belt containing simple tools, a stdlib like feel, and extra batteries. Hashing, Caching, Timing, Progress, and more made easy!

Ubelt is a small library of robust, tested, documented, and simple functions that extend the Python standard library. It has a flat API that all behav

Jon Crall 638 Dec 13, 2022
A timer for bird lovers, plays a random birdcall while displaying its image and info.

Birdcall Timer A timer for bird lovers. Siriema hatchling by Junior Peres Junior Background My partner needed a customizable timer for sitting and sta

Marcelo Sanches 1 Jul 8, 2022
This is a database of 180.000+ symbols containing Equities, ETFs, Funds, Indices, Futures, Options, Currencies, Cryptocurrencies and Money Markets.

Finance Database As a private investor, the sheer amount of information that can be found on the internet is rather daunting.

Jeroen Bouma 1.4k Dec 31, 2022
A repository containing an introduction to Panel made to be support videos and talks.

?? Awesome Panel - Introduction to Panel THIS REPO IS WORK IN PROGRESS. PRE-ALPHA Panel is a very powerful framework for exploratory data analysis and

Marc Skov Madsen 51 Nov 17, 2022
This repository containing cross-section cut and fill calculations using Python programming language.

cross-section This repository is containing cut and fill calculations for cross-section using Python programming language. This codes is made to calcu

null 3 Jun 15, 2022
This is a repository containing the backend and the frontend of a simple pokédex.

Pokémon This is a repository containing the backend and the frontend of a simple pokédex. This is a work in progress project! Project Structure ?? pok

André Rato 1 Nov 28, 2021
⚡KiCad library containing footprints and symbols for inductive analog keyboard switches

Inductive Analog Switches This library contains footprints and symbols for inductive analog keyboard switches for use with the Texas Instruments LDC13

Elias Sjögreen 3 Jun 30, 2022