Extracts Quarantine Files from Windows Defender.
This artifact decrypts the RC4 encrypted Windows Defender Quarantined files and returns information about it. If it is a PE, it also parses the PE.
You may also choose to upload the extracted binaries for deeper malware analysis.
name: Windows.Applications.DefenderQuarantineExtract
author: "Eduardo Mattos - @eduardfir, @niicolaa"
description: |
Extracts Quarantine Files from Windows Defender.
This artifact decrypts the RC4 encrypted Windows Defender Quarantined files
and returns information about it. If it is a PE, it also parses the PE.
You may also choose to upload the extracted binaries for deeper malware analysis.
reference:
- https://reversingfun.com/posts/how-to-extract-quarantine-files-from-windows-defender
- https://blog.fox-it.com/2023/12/14/reverse-reveal-recover-windows-defender-quarantine-forensics/
- https://artefacts.help/windows_defender_quarantine.html
type: CLIENT
parameters:
- name: TargetGlob
description: Target Files
default: C:/ProgramData/Microsoft/Windows Defender/Quarantine/ResourceData/*/*
- name: UploadDecodedFiles
description: Select to upload decoded quarantined files.
type: bool
- name: DefenderRC4KeyHex
default: "1e87781b8dbaa844ce69702c0c78b786a3f623b738f5edf9af83530fb3fc54faa21eb9cf1331fd0f0da954f687cb9e18279697900e53fb317c9cbce48e23d05371ecc15951b8f3649d7ca33ed68dc9047e82c9baad9799d0d458cb847ca9ffbe3c8a775233557dde13a8b14087cc1bc8f10f6ecdd083a959cff84a9d1d50755e3e191818af23e2293558766d2c07e25712b2ca0b535ed8f6c56ce73d24bdd0291771861a54b4c285a9a3db7aca6d224aeacd621db9f2a22ed1e9e11d75bed7dc0ecb0a8e68a2ff1263408dc808dffd164b116774cd0b9b8d05411ed6262e429ba495676b8398db2f35d3c1b9ced52636f2765e1a95cb7ca4c3ddabddbff38253"
sources:
- query: |
LET Targets = SELECT Mtime,
Name,
OSPath
FROM glob(globs=TargetGlob)
LET DefenderRC4Key = unhex(string=DefenderRC4KeyHex)
LET Decrypted = SELECT Name,
OSPath,
Mtime,
read_file(
filename=crypto_rc4(
key=DefenderRC4Key,
string=read_file(filename=OSPath, accessor="file")),
accessor="data") AS Plain
FROM Targets
LET Profile <= '''
[
["Root", 0, [
["SDLen", 8, "uint32"],
["HeaderLen", 0, "Value", {"value": "x=>0x28 + x.SDLen"}],
["MalLen", "x=>x.SDLen + 0x1C", "uint64"],
["DecodedFile", 0, "Value", {
"value": "x=>read_file(filename=Plain, accessor='data', offset=x.HeaderLen, length=x.MalLen)"
}],
["UnparsedFooter", 0, "Value", {
"value": "x=>read_file(filename=Plain, accessor='data', offset=x.HeaderLen + x.MalLen)"
}]
]]
]'''
LET Trimmed <= SELECT
Name,
OSPath,
Mtime,
Plain,
parse_binary(
filename=Plain,
accessor="data",
profile=Profile,
struct="Root") AS Parsed
FROM Decrypted
SELECT
magic(
path=Parsed.DecodedFile,
accessor="data") AS Magic,
hash(
path=Parsed.DecodedFile,
accessor="data") AS Hash,
Name,
OSPath,
Mtime,
Parsed.MalLen AS MalfileLen,
Parsed.UnparsedFooter AS UnparsedFooter,
parse_pe(
file=Parsed.DecodedFile,
accessor="data") AS ParsedPE,
if(
condition=UploadDecodedFiles,
then={
SELECT
upload(
file=Parsed.DecodedFile,
accessor="data",
name=Name + "_Defender_Quarantine_Extract.bin") AS FileDetails
FROM Trimmed
}) AS Upload
FROM Trimmed