Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| ETW - Integrity | Page | The Windows event logs can be tampered in a number of ways, potentially impacting their integrity. Two categories of Windows event logs tampering can be distinguished: -Tampering with the Event Log service, to avoid the generation of new events. -Tampering with the existing Windows events, to delete trace of past activities. The log file / channel can be deleted altogether or events can be deleted or tampered with individually. Main events: Channel: Security. Event ID 1102: "The audit log was cleared". Channel: System. Event ID 104: "The <CHANNEL> log file was cleared". Event ID 7040: "The start type of the Windows Event Log service was changed from auto start to disabled". |
Channel: Security. Event: 1100, 1102. Channel: System. Events: 104, 7001, 7040. |
| ETW - Windows Defender | Page | Windows Defender activity, such as malware detection or configuration change. Main events: Channel: Microsoft-Windows-Windows Defender/Operational. Event ID 1116: "The antimalware engine found malware or other potentially unwanted software". Event ID 5001: "Real-time protection is disabled". Event ID 5007: "The antimalware platform configuration changed". |
Channel: Microsoft-Windows-Windows Defender/Operational. Events: 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1015, 1116, 1117, 1118, 1119, 1121, 1122, 5001, 5007, 5010, 5012, 5013. |
| ETW - Windows Firewall | Page | Windows Firewall activity, such as configuration changes and rules creation, modification, or deletion. Main events: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall. Event ID 2003: "A Windows Defender Firewall setting in the <Domain | Private | Public> profile has changed". Events 2004, 2071, and 2097 (depending on the Windows operating system version): "A rule has been added to the Windows Defender Firewall exception list". Events 2005 and 2099 (depending on the Windows operating system version): "A rule has been modified in the Windows Defender Firewall exception list". |
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall. Events: 2002, 2003, 2004, 2005, 2006, 2033, 2052, 2071, 2097, 2099. Channel: Security (events not enabled by default). Events: 4946, 4947, 4948, 4950. |
| NTFS - MACB timestamps and timestomping | Page | On NTFS filesystems, each file posses (at least) two attributes that hold (among other information) Modification, Access, Change and Birth (MACB) timestamps: $STANDARD_INFORMATION and $FILENAME attributes. The $STANDARD_INFORMATION and $FILENAME timestamps are not updated similarly depending on the operation. Timestomping is the action of modifying the timestamps of a file, generally to evade detection. Timestomping may be detected using a number of techniques: - Identifying $STANDARD_INFORMATION timestamps older than $FILENAME timestamps. - Using UsnJrnl records. - Identifying non nano-second precise $STANDARD_INFORMATION timestamps. - Using MFT entry numbers. However each technique is prone to false-positives and false-negatives. |
A given file may be associated with up to 20 timestamps: $STANDARD_INFORMATION + 2 * $FILENAME + 2 * NTFS $I30 $FILENAME (duplicate $FILENAME for files with short and long names). |
| Registry - Timestamp and timestomping | Page | The last write / modified timestamp of a registry key is the only generic timestamp available regarding registry keys and correspond to the last time a write operation occurred on the key. There is indeed no last write / modified timestamp for registry value. Similarly to MFT MACB timestamp, the last write / modified timestamp of a registry key can be timestomped, which is something hard to detect without dedicated monitoring tools. |
|
| Windows Defender - Quarantine | Page | Windows Defender quarantines files that were detected as malicious, storing the full content of the files. It is thus possible to recover the quarantined files for further investigation. Additionally, Windows Defender stores some metadata on each detection under the "Windows Defender\Quarantine" folder, including the original file path of the file, the timestamp of quarantine, and the associated threat name. |
Quarantined files: <SYSTEM_DRIVE>\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData Metadata on the detections associated with quarantined files: <SYSTEM_DRIVE>\ProgramData\Microsoft\Windows Defender\Quarantine\Entries |
| Windows Defender - Support logs | Page | Windows Defender stores on disk a number of plain-text log files. Among these log files, the Microsoft Protection Log (MPLog) log includes a number of event types related to past Windows Defender scanning activity and detections. The MPLog can notably be a source of historical information on: - Program and suspicious command line executions. - Files existence and access. - Windows Defender configuration state, detections, and other telemetry. |
Log files, and notably "MPLog-YYMMDD-hhmmss.log", under: <SYSTEMDRIVE>\ProgramData\Microsoft\Windows Defender\Support |
View on GitHub