Full Report
Max Groot & Erik Schamper TL;DR Introduction During incident response engagements we often encounter antivirus applications that have rightfully triggered on malicious software that was deployed by threat actors. Most commonly we encounter this for Windows Defender, the antivirus solution that is shipped by default with Microsoft Windows. Windows Defender places malicious files in quarantine … Continue reading Reverse, Reveal, Recover: Windows Defender Quarantine Forensics →
Analysis Summary
# Tool/Technique: Windows Defender Quarantine Forensics
## Overview
This technique involves the forensic analysis and recovery of malicious files and associated metadata from the Windows Defender quarantine system. By reverse engineering `mpengine.dll`, researchers identified undocumented structures that store critical incident response data, such as original file timestamps, security descriptors, and Zone Identifiers (Mark-of-the-Web).
## Technical Details
- **Type**: Forensic Technique / Reverse Engineering
- **Platform**: Windows (specifically environments utilizing Microsoft Defender Antivirus)
- **Capabilities**:
- Decryption of RC4-protected quarantine files.
- Recovery of original malicious binaries.
- Extraction of file metadata (Creation, Access, and Modified timestamps).
- Recovery of NTFS Alternate Data Streams (ADS) including `Zone.Identifier`.
- Reconstruction of security descriptors.
- **First Seen**: Research published December 14, 2023 (Methodologies evolved from earlier research dating back to Cuckoo Sandbox in 2013).
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery]: Used by analysts to find what the adversary placed on the system.
- **[TA0009 - Collection]**
- [T1005 - Data from Local System]: Extracting quarantined artifacts for evidence.
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools]: Contextual relevance as actors often attempt to clear these folders or disable Defender to avoid this forensic trail.
## Functionality
### Core Capabilities
- **Quarantine Entry Parsing**: Decrypts files in the `/Quarantine/Entries` folder to reveal why and when a file was flagged.
- **Resource Recovery**: Decrypts and restores the original malicious payload from the `/Quarantine/ResourceData` folder.
- **RC4 Decryption**: Utilizes a hardcoded key found within `mpengine.dll` to unlock stored data.
### Advanced Features
- **NTFS Stream Preservation**: Identifies that Defender uses the `BackupRead` API to preserve various NTFS data streams, allowing analysts to see the source of a download (e.g., via `Zone.Identifier`).
- **Metadata Reconstruction**: Parsers can now extract specific `QuarantineEntryResourceField` data that was previously ignored by older tools, providing a more complete timeline of the infection.
## Indicators of Compromise
*Note: This article focuses on the forensic tool/technique rather than a specific malware sample; however, the following are locations where indicators are found:*
- **File Paths**:
- `C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries`
- `C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData`
- `C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resource`
- **Behavioral Indicators**: Attempts by a process to delete files within these specific directories or the termination of the Windows Defender Service (`WinDefend`).
## Associated Threat Actors
- Used by **Forensic Analysts and Incident Responders** (e.g., Fox-IT/Fox-SRT) to investigate attacks from various threat actors who fail to successfully bypass or disable Windows Defender.
## Detection Methods
- **Tooling**: Use the **Dissect framework** (specifically `dissect.target` versions 3.4+) to automatically parse and recover quarantine items.
- **Manual Analysis**: IDA Pro can be used to analyze `mpengine.dll` using C-like structure definitions (`dissect.cstruct`) provided by the researchers.
## Mitigation Strategies
- **Log Retention**: Ensure Windows Event Logs (specifically Defender operational logs) are forwarded to a SIEM, as threat actors often delete local logs even if they leave the quarantine folder intact.
- **Tamper Protection**: Enable Windows Defender Tamper Protection to prevent threat actors from disabling the antivirus or clearing the quarantine via unauthorized scripts.
## Related Tools/Techniques
- **Dissect Framework**: An open-source DFIR framework that implements these parsing capabilities.
- **Defender-dump**: An earlier Python script for basic quarantine extraction.
- **Cuckoo Sandbox**: Originator of the initial RC4 key discovery for Defender quarantine.
- **BackupRead/BackupWrite API**: The underlying Windows mechanism used to preserve file streams in quarantine.