A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.

Last update: Oct 30, 2022

Overview

The files parsed by this application may be found on any Windows system, if they exist, under [root]\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory[numbered folder][File GUID]

NOTES

The file header should be of the form: b'0800000008', or else it is not a valid DetectionHistory file.
Immediately following the file header and before the first mention of "Magic Version", the GUID of the file is given in Big-Endian(?) representation, capped off by a b'24' at the end, signaling the end of the GUID and beginning of the DetectionHistory data.
ThreatTrackingStartTime and all other timestamps are in FILETIME structure (UTC)

Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a local folder

Ingestinator Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a

2 Nov 18, 2022

Convert a .vcf file to 'aa_table.tsv', including depth & alt frequency info

Produce an 'amino acid table' file from a vcf, including depth and alt frequency info.

1 Oct 16, 2021

Generating rent availability info from Effort rent

Rent-info Generating rent availability info from Effort rent Pre-Installation Latest version of python Pip module json, os, requests, datetime, time i

1 Oct 20, 2021

SimBiber - A tool for simplifying bibtex with official info

SimBiber: A tool for simplifying bibtex with official info. We often need to sim

336 Jan 2, 2023

GDIT: Geometry Dash Info Tool

GDIT: Geometry Dash Info Tool This is the first large script that allows you to quickly get information from the Geometry Dash server

2 Jan 9, 2022

A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars #poweredbySUSE

SUSE-udacity-cloud-native-scholarship A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars

11 Dec 2, 2021

This program generates automatically new folders containing old version of program

Automated Folder Versions Generator by Sergiy Grimoldi - V.0.0.2 This program generates automatically new folders containing old version of something

1 Dec 23, 2021

:snake: Complete C99 parser in pure Python

pycparser v2.20 Contents 1 Introduction 1.1 What is pycparser? 1.2 What is it good for? 1.3 Which version of C does pycparser support? 1.4 What gramma

2.8k Dec 29, 2022

A Gura parser implementation for Python

Gura parser This repository contains the implementation of a Gura format parser in Python. Installation pip install gura-parser Usage import gura gur

19 Jan 25, 2022

Comments

Find it frustrating that the documentation doesn't give a single example of a minimal command to try
Based on reading the readme along with the help message that prints when I try to run the exe, I imagine the usage would be something like:

./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\' -r -o './results.txt'

...if I just want to recursively parse any files in the default directory. But rather, I just get a somewhat unhelpful error message:

usage: dhparser.exe [-h] -f FILE [-g] -o OUTPUT [-r] [-s] [-v] dhparser.exe: error: the following arguments are required: -o/--output

However, I've included the options. I just clearly don't understand how to correctly use them. Maybe I missed something obvious in the documentation, but either way I think it would be better practice to have at least one example of a command to try out the tool.

Edit: That said, thanks for contributing your time toward an open source tool.
opened by jt0dd 5
Create Velociraptor Artifact DefenderDHParser.yaml

This Velociraptor artifact leverages Windows Defender DetectionHistory tool to parse and return the parameters of Windows Defender detections contained in Detection History files.

opened by eduardomcm 1
ERROR: ||[Errno 21] Is a directory

More detail :'/'|| caught in /. Moving on to next file... 1 of 1 DetectionHistory files found were successfully parsed, with output written to "op.txt" in 0.023249847 seconds.

I am getting this error when I try to run the script python3 dhparser.py -f /home/kali/Desktop/0.exe.zip -o op.txt even the output file is not generated
bug

opened by v3daxt 1
Please double check your research findings

From README

The creation of these files is an after-product of Windows Defender's real-time/cloud-delivered protection(RTP) blocking threats such as Potentially Unwanted Applications (PUAs), viruses, worms, trojans, etc.

The files appear to be generated even with cloud-delivered protection turned off.

The file begins with a header, 0x0800000008, taking up the first 5 bytes in every known scenario

There are files under the MputHistory directory that start with the same 5 bytes that contain different information. So it does not look like to be a "signature" (as in something that uniquely identifies the DetectionHistory files)

opened by joachimmetz 3

Releases(v1.0.1)

v1.0.1(Jan 26, 2022)

A release centered around community feedback- fixed bugs, increased user friendliness, and more documentation!
Source code(tar.gz)
Source code(zip)
v1.0(Jan 12, 2022)

Official release of the DetectionHistory Parser, featuring documentation on a brand new artifact, fleshed out features, and multiple options to tailor the experience.
Source code(tar.gz)
Source code(zip)

Owner

Jordan Klepser

Digital Forensics Analyst, Threat Hunter, Machine Learning Enthusiast, Factoid Purveyor

GitHub Repository

Wrappers around the most common maya.cmds and maya.api use cases

Maya FunctionSet (maya_fn) A package that decompose core maya.cmds and maya.api features to a set of simple functions. Tests The recommended approach

9 Mar 12, 2022

Feapder的管道扩展

FEAPDER 管道扩展简介此模块为feapder的pipelines扩展，感谢广大开发者对feapder的贡献随着feapder支持的pipelines越来越多，为减少feapder的体积，特将pipelines提出，使用者可按需安装管道 PostgreSQL 贡献者：沈瑞祥联系方式：r

9 Dec 07, 2022

personal dotfiles for rolling release linux distros

dotfiles Screenshots: Directions: Deploy my dotfiles with yadm Packages from arch listed in .installed-packages Information on osu! see ~/Games/osu!/.

0 Sep 18, 2022

Script em python, utilizando PySimpleGUI, para a geração de arquivo txt a ser importado no sistema de Bilhetagem Eletrônica da RioCard, no Estado do Rio de Janeiro.

pedido-vt-riocard Script em python, utilizando PySimpleGUI, para a geração de arquivo txt a ser importado no sistema de Bilhetagem Eletrônica da RioCa

1 Dec 01, 2021

Convert temps in your Alfred search bar

Alfred Temp Converter Convert temps in your Alfred search bar. Download Here Usage: temp 100f converts to Celsius, Kelvin, and Rankine. temp 100c conv

4 Apr 11, 2022

Esercizi di Python svolti per il biennio di Tecnologie Informatiche.

Esercizi di Python Un piccolo aiuto per Sofia che nel 2° quadrimestre inizierà Python :) Questo repository (termine tecnico di Git) puoi trovare tutti

2 Nov 07, 2022

A python package template that can be adapted for RAP projects

Warning - this repository is a snapshot of a repository internal to NHS Digital. This means that links to videos and some URLs may not work. Repositor

3 Nov 08, 2022

A Python3 script to decode an encoded VBScript file, often seen with a .vbe file extension

vbe-decoder.py Decode one or multiple encoded VBScript files, often seen with a .vbe file extension. Usage usage: vbe-decoder.py [-h] [-o output] file

147 Nov 15, 2022

a url shortener with fastapi and tortoise-orm

fastapi-tortoise-orm-url-shortener a url shortener with fastapi and tortoise-orm

19 Aug 12, 2022

A python implementation of differentiable quality diversity.

Differentiable Quality Diversity This repository is the official implementation of Differentiable Quality Diversity.

41 Nov 30, 2022

Android Blobs Organizer

96 Jan 02, 2023

Pixelarticons - Pixel Art Icons made simple for Flutter, powered by pixelarticons and fontify

16 Dec 12, 2022

Shows a pixel art of any Pokémon in your terminal!

pokemon-icat This script is inspired by this project, but since the output heavily depends on the font of your terminal, i decided to make a script th

52 Dec 22, 2022

Transform a Google Drive server into a VFX pipeline ready server

Google Drive VFX Server VFX Pipeline About The Project Quick tutorial to setup a Google Drive Server for multiple machines access, and VFX Pipeline on

17 Jun 27, 2022

A functional standard library for Python.

Toolz A set of utility functions for iterators, functions, and dictionaries. See the PyToolz documentation at https://toolz.readthedocs.io LICENSE New

4.1k Jan 04, 2023

Цифрова збрoя проти xуйлoвської пропаганди.

Паляниця Цифрова зброя проти xуйлoвської пропаганди. Щоб негайно почати шкварити рашистські сайти – мерщій у швидкий старт! ⚡️ А коли ворожі сервери в

8 Mar 22, 2022

Project Interface For nextcord-ext

1 Nov 13, 2021

The purpose is to have a fairly simple python assignment that introduces the basic features and tools of python

This repository contains the code for the python introduction lab. The purpose is to have a fairly simple python assignment that introduces the basic

1 Jan 24, 2022

Manually Install Python 2.7 pip without any problem !

Python2.7_install_pip Manually Install Python 2.7 pip without any problem ! Download installPip.py to your system and Run the code using this Command

1 Dec 09, 2021

tgEasy | Easy for a Brighter Shine | Monkey Patcher Addon for Pyrogram

35 Nov 12, 2022