Full Report
Max Groot & Erik Schamper TL;DR Introduction During incident response engagements we often encounter antivirus applications that have rightfully triggered on malicious software that was deployed by threat actors. Most commonly we encounter this for Windows Defender, the antivirus solution that is shipped by default with Microsoft Windows. Windows Defender places malicious files in quarantine … Continue reading Reverse, Reveal, Recover: Windows Defender Quarantine Forensics →
Analysis Summary
# Tool/Technique: Windows Defender Quarantine Forensics
## Overview
This summary focuses on the forensic artifacts and metadata contained within the Windows Defender quarantine folder, which is created when Windows Defender detects and quarantines malicious software on a Windows system. The research involves reverse engineering `mpengine.dll` to fully document previously undocumented metadata structures (`QuarantineEntryField`) used by Defender for storage and protection of evidence.
## Technical Details
- Type: Technique (Digital Forensics/Incident Response Artifact Analysis)
- Platform: Microsoft Windows
- Capabilities: Recovery of quarantined files, extraction of encrypted metadata (timestamps, detection context), and analysis of NTFS data streams preserved during quarantine.
- First Seen: Research published December 14, 2023 (built upon existing knowledge of Defender's quarantine mechanisms).
## MITRE ATT&CK Mapping
This focuses on defensive analysis, but the artifacts relate to T1027 (Obfuscated Files or Information) or T1562 (Impair Defenses) if the actor bypassed detection. The forensic analysis relates primarily to **Defense Evasion Discovery** and **Impact Assessment**.
- **TA0005 - Defense Evasion** (In the context of threat actor actions that led to quarantine)
- **T1027** - Obfuscated Files or Information (If the actor attempted to obscure the file before detection)
## Functionality
### Core Capabilities
- Recovery of malicious files placed in quarantine by Windows Defender.
- Decryption of `QuarantineEntry` and `QuarantineEntryResourceData` files using a hardcoded RC4 key found in `mpengine.dll`.
- Extraction of forensic metadata from the `QuarantineEntry`, including timestamps and detection details.
### Advanced Features
- Discovery and documentation of undocumented metadata structures (`QuarantineEntryField`).
- Analysis of how Defender uses `NTFS BackupRead` functionality to preserve alternate data streams (ADS) of the original file, such as the `Zone.Identifier`.
- Integration of parsing logic into the open-source forensic framework, Dissect, using `dissect.cstruct` for structure definition readability.
## Indicators of Compromise
These are artifacts revealing an interaction with Windows Defender's quarantine system, which implies prior malware execution/detection:
- File Hashes: N/A (The focus is on the forensic process, not specific hashes of malware used.)
- File Names: Files located in or related to the quarantine directories:
- `/ProgramData/Microsoft/Windows Defender/Quarantine/Entries/` (Contains encrypted `QuarantineEntry`)
- `/ProgramData/Microsoft/Windows Defender/Quarantine/ResourceData/` (Contains encrypted malicious file contents)
- Registry Keys: N/A (The main focus is on the file system artifacts.)
- Network Indicators: None directly discovered from the quarantine storage structure itself.
- Behavioral Indicators: Successful detection and placement of a file into the Windows Defender quarantine directory.
## Associated Threat Actors
- Not intrinsically tied to specific threat actors, but this methodology provides DFIR capabilities to analyze the malware deployed by **any threat actor** that triggers Windows Defender.
## Detection Methods
Detection is focused on identifying the artifacts left by Windows Defender itself:
- Signature-based detection: (Not applicable to the forensic methodology, but Defender uses this to flag malware).
- Behavioral detection: Monitoring file write/encryption operations within the Defender quarantine folders, or observing processes accessing/decrypting these files outside of normal system operations.
- YARA rules: Potentially useful for identifying the structure or known header patterns of the encrypted `QuarantineEntry` files if the RC4 key/algorithm is known.
## Mitigation Strategies
The focus here is on preserving the evidence, not preventing the initial detection:
- Prevention: Standard endpoint hardening and signature updates to prevent initial infection.
- Hardening recommendations: Ensuring adequate logging retention, as the quarantine folder often remains intact even if event logs are cleared. Organizations should be aware of the forensic value stored in the Windows Defender quarantine folder.
## Related Tools/Techniques
- **Dissect Framework:** Fox-IT’s tool used to implement the new parsing logic for the quarantine metadata.
- **Cuckoo Sandbox:** Previous research referenced scripts from Cuckoo projects for initial decryption key knowledge.
- **IDA Pro:** Referenced as a tool where the reverse-engineered C structure definitions can be directly imported for further analysis.