Windows Defender places malicious files into quarantine upon detection.
Fox-IT's open-source digital forensics and incident response framework Dissect can now recover this metadata, in addition to recovering quarantined files from the Windows Defender quarantine folder.
Windows Defender places malicious files in quarantine upon detection, so that the end user may decide to recover the file or delete it permanently.
First of all, it can reveal information about timestamps, locations and signatures of files that were detected by Windows Defender.
As the entire file is quarantined, it is possible to recover files from quarantine for further reverse engineering and analysis.
While scripts already exist to recover files from the Defender quarantine folder, the purpose of much of the contents of this folder were previously unknown.
The most extensive documentation we could find on the structures of Windows Defender quarantine files was Florian Bauchs' whitepaper analyzing antivirus software quarantine files, but we also looked at several scripts on GitHub.
In summary, whenever Defender puts a file into quarantine, it does three things:A bunch of metadata pertaining to when, why and how the file was quarantined is held in a QuarantineEntry.
Both from previous research as well as from our own findings during reverse engineering, it appears this file contains no information that cannot be obtained from the QuarantineEntry and the QuarantineEntryResourceData files.
While previous scripts are able to recover some properties from the ResourceData and QuarantineEntry files, large segments of data were left unparsed, which gave us a hunch that additional forensic artefacts were yet to be discovered.
Windows Defender encrypts both the QuarantineEntry and the ResourceData files using a hardcoded RC4 key defined in mpengine.
Dll into IDA to further review how Windows Defender places a file into quarantine.
Two files were simultaneously quarantined by Windows Defender.
This is not always the case: for example, if one unpacks a ZIP folder that contains multiple malicious files, Windows Defender might place them all into quarantine.
We do not want just the metadata: we want to recover the quarantined files as well.
We can now correctly parse QuarantineEntry files, so it is time to turn our attention to the QuarantineEntryResourceData file.
This file contains the RC4-encrypted contents of the file that has been placed into quarantine.
Let's start by letting Windows Defender quarantine a Mimikatz executable and reviewing its output files in the quarantine folder.
We now have all structure definitions that we need to recover all metadata and quarantined files from the quarantine folder.
Dll, we were able to further understand how Windows Defender places detected files into quarantine.
This Cyber News was published on blog.fox-it.com. Publication date: Thu, 14 Dec 2023 05:43:38 +0000