A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.

Last update: Oct 30, 2022

Overview

The files parsed by this application may be found on any Windows system, if they exist, under [root]\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory[numbered folder][File GUID]

NOTES

The file header should be of the form: b'0800000008', or else it is not a valid DetectionHistory file.
Immediately following the file header and before the first mention of "Magic Version", the GUID of the file is given in Big-Endian(?) representation, capped off by a b'24' at the end, signaling the end of the GUID and beginning of the DetectionHistory data.
ThreatTrackingStartTime and all other timestamps are in FILETIME structure (UTC)

Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a local folder

Ingestinator Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a

2 Nov 18, 2022

Convert a .vcf file to 'aa_table.tsv', including depth & alt frequency info

Produce an 'amino acid table' file from a vcf, including depth and alt frequency info.

1 Oct 16, 2021

Generating rent availability info from Effort rent

Rent-info Generating rent availability info from Effort rent Pre-Installation Latest version of python Pip module json, os, requests, datetime, time i

1 Oct 20, 2021

SimBiber - A tool for simplifying bibtex with official info

SimBiber: A tool for simplifying bibtex with official info. We often need to sim

336 Jan 2, 2023

GDIT: Geometry Dash Info Tool

GDIT: Geometry Dash Info Tool This is the first large script that allows you to quickly get information from the Geometry Dash server

2 Jan 9, 2022

A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars #poweredbySUSE

SUSE-udacity-cloud-native-scholarship A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars

11 Dec 2, 2021

This program generates automatically new folders containing old version of program

Automated Folder Versions Generator by Sergiy Grimoldi - V.0.0.2 This program generates automatically new folders containing old version of something

1 Dec 23, 2021

:snake: Complete C99 parser in pure Python

pycparser v2.20 Contents 1 Introduction 1.1 What is pycparser? 1.2 What is it good for? 1.3 Which version of C does pycparser support? 1.4 What gramma

2.8k Dec 29, 2022

A Gura parser implementation for Python

Gura parser This repository contains the implementation of a Gura format parser in Python. Installation pip install gura-parser Usage import gura gur

19 Jan 25, 2022

Comments

Find it frustrating that the documentation doesn't give a single example of a minimal command to try
Based on reading the readme along with the help message that prints when I try to run the exe, I imagine the usage would be something like:

./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\' -r -o './results.txt'

...if I just want to recursively parse any files in the default directory. But rather, I just get a somewhat unhelpful error message:

usage: dhparser.exe [-h] -f FILE [-g] -o OUTPUT [-r] [-s] [-v] dhparser.exe: error: the following arguments are required: -o/--output

However, I've included the options. I just clearly don't understand how to correctly use them. Maybe I missed something obvious in the documentation, but either way I think it would be better practice to have at least one example of a command to try out the tool.

Edit: That said, thanks for contributing your time toward an open source tool.
opened by jt0dd 5
Create Velociraptor Artifact DefenderDHParser.yaml

This Velociraptor artifact leverages Windows Defender DetectionHistory tool to parse and return the parameters of Windows Defender detections contained in Detection History files.

opened by eduardomcm 1
ERROR: ||[Errno 21] Is a directory

More detail :'/'|| caught in /. Moving on to next file... 1 of 1 DetectionHistory files found were successfully parsed, with output written to "op.txt" in 0.023249847 seconds.

I am getting this error when I try to run the script python3 dhparser.py -f /home/kali/Desktop/0.exe.zip -o op.txt even the output file is not generated
bug

opened by v3daxt 1
Please double check your research findings

From README

The creation of these files is an after-product of Windows Defender's real-time/cloud-delivered protection(RTP) blocking threats such as Potentially Unwanted Applications (PUAs), viruses, worms, trojans, etc.

The files appear to be generated even with cloud-delivered protection turned off.

The file begins with a header, 0x0800000008, taking up the first 5 bytes in every known scenario

There are files under the MputHistory directory that start with the same 5 bytes that contain different information. So it does not look like to be a "signature" (as in something that uniquely identifies the DetectionHistory files)

opened by joachimmetz 3

Releases(v1.0.1)

v1.0.1(Jan 26, 2022)

A release centered around community feedback- fixed bugs, increased user friendliness, and more documentation!
Source code(tar.gz)
Source code(zip)
v1.0(Jan 12, 2022)

Official release of the DetectionHistory Parser, featuring documentation on a brand new artifact, fleshed out features, and multiple options to tailor the experience.
Source code(tar.gz)
Source code(zip)

Owner

Jordan Klepser

Digital Forensics Analyst, Threat Hunter, Machine Learning Enthusiast, Factoid Purveyor

GitHub Repository

Cash in on Expressed Barcode Tags (EBTs) from NGS Sequencing Data with Python

Cash in on Expressed Barcode Tags (EBTs) from NGS Sequencing Data with Python Cashier is a tool developed by Russell Durrett for the analysis and extr

3 Sep 11, 2022

Plock : A stack based programming language

1 Oct 25, 2021

Experimental proxy for dumping the unencrypted packet data from Brawl Stars (WIP)

Brawl Stars Proxy Experimental proxy for version 39.99 of Brawl Stars. It allows you to capture the packets being sent between the Brawl Stars client

4 Oct 29, 2021

Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff

Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff. For linux, a patched kernel is needed (see Setup folder) (except for read/write flash). For windows, you need to inst

1.1k Dec 31, 2022

Credit Card Fraud Detection

Credit Card Fraud Detection For this project, I used the datasets from the kaggle competition called IEEE-CIS Fraud Detection. The competition aims to

4 Jun 21, 2022

Python plugin for Krita that assists with making python plugins for Krita

Krita-PythonPluginDeveloperTools Python plugin for Krita that assists with making python plugins for Krita Introducing Python Plugin developer Tools!

18 Dec 01, 2022

Film-dosimetry - Film dosimetry for DUVS

film-dosimetry Film dosimetry for DUVS Hi David and Joe, here we go this is a te

3 Jan 20, 2022

Audio-analytics for music-producers! Automate tedious tasks such as musical scale detection, BPM rate classification and audio file conversion.

Click here to be re-directed to the Beat Inspect Streamlit Web-App You are a music producer? Let's get in touch via LinkedIn Fundamental Analytics for

11 Dec 27, 2022

A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.

Related tags

Overview

You might also like...

Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a local folder

Convert a .vcf file to 'aa_table.tsv', including depth & alt frequency info

Generating rent availability info from Effort rent

SimBiber - A tool for simplifying bibtex with official info

GDIT: Geometry Dash Info Tool

A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars #poweredbySUSE

This program generates automatically new folders containing old version of program

:snake: Complete C99 parser in pure Python

A Gura parser implementation for Python

Comments

Find it frustrating that the documentation doesn't give a single example of a minimal command to try

Create Velociraptor Artifact DefenderDHParser.yaml

ERROR: ||[Errno 21] Is a directory

Please double check your research findings

Releases(v1.0.1)

v1.0.1(Jan 26, 2022)

v1.0(Jan 12, 2022)

Owner

Jordan Klepser

Cash in on Expressed Barcode Tags (EBTs) from NGS Sequencing Data with Python

Plock : A stack based programming language

Experimental proxy for dumping the unencrypted packet data from Brawl Stars (WIP)

Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff

Credit Card Fraud Detection

Python plugin for Krita that assists with making python plugins for Krita

Film-dosimetry - Film dosimetry for DUVS

Audio-analytics for music-producers! Automate tedious tasks such as musical scale detection, BPM rate classification and audio file conversion.

A student information management system in Python

A simple python project which control paint brush in microsoft paint app

A Guide for Feature Engineering and Feature Selection, with implementations and examples in Python.

Linux Backlight Manager

Ningyu Jia(nj2459)/Mengyin Ma(mm5937) Call Analysis group project(Group 36)

디텍션 유틸 모음

reproduces experiments from

Sikulix with Ubuntu Calculator Automation

This is some simple code to scrape vistbook's system to get an overview of the different cabins availability.

Mannaggia is a python application to praise or more likely to curse the saints

Ferramenta de monitoramento do risco de colapso no sistema de saúde em municípios brasileiros com a Covid-19.

🛠️ Learn a technology X by doing a project - Search engine of project-based learning