dissect.target 3.18.dev9__py3-none-any.whl → 3.18.dev10__py3-none-any.whl

dissect/target/plugins/os/windows/defender.py

@@ -1,7 +1,10 @@
+from __future__ import annotations
+
+import re
 from datetime import datetime, timezone
 from io import BytesIO
 from pathlib import Path
-from typing import Any, BinaryIO, Generator, Iterable, Iterator, Union
+from typing import Any, BinaryIO, Generator, Iterable, Iterator, TextIO, Union
 
 import dissect.util.ts as ts
 from dissect.cstruct import Structure, cstruct
@@ -10,6 +13,27 @@ from flow.record import Record
 from dissect.target import plugin
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugins.os.windows.defender_helpers.defender_patterns import (
+    DEFENDER_MPLOG_BLOCK_PATTERNS,
+    DEFENDER_MPLOG_LINE,
+    DEFENDER_MPLOG_PATTERNS,
+)
+from dissect.target.plugins.os.windows.defender_helpers.defender_records import (
+    DefenderMPLogBMTelemetryRecord,
+    DefenderMPLogDetectionAddRecord,
+    DefenderMPLogDetectionEventRecord,
+    DefenderMPLogEMSRecord,
+    DefenderMPLogExclusionRecord,
+    DefenderMPLogLowfiRecord,
+    DefenderMPLogMinFilBlockedFileRecord,
+    DefenderMPLogMinFilUSSRecord,
+    DefenderMPLogOriginalFileNameRecord,
+    DefenderMPLogProcessImageRecord,
+    DefenderMPLogResourceScanRecord,
+    DefenderMPLogRTPRecord,
+    DefenderMPLogThreatActionRecord,
+    DefenderMPLogThreatRecord,
+)
 
 DEFENDER_EVTX_FIELDS = [
     ("datetime", "ts"),
@@ -73,6 +97,7 @@ DEFENDER_LOG_FILENAME_GLOB = "Microsoft-Windows-Windows Defender*"
 EVTX_PROVIDER_NAME = "Microsoft-Windows-Windows Defender"
 
 DEFENDER_QUARANTINE_DIR = "sysvol/programdata/microsoft/windows defender/quarantine"
+DEFENDER_MPLOG_DIR = "sysvol/programdata/microsoft/windows defender/support"
 DEFENDER_KNOWN_DETECTION_TYPES = [b"internalbehavior", b"regkey", b"runkey"]
 
 DEFENDER_EXCLUSION_KEY = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions"
@@ -494,6 +519,198 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
                         value=exclusion_value,
                     )
 
+    def _mplog_processimage(self, data: dict) -> Iterator[DefenderMPLogProcessImageRecord]:
+        yield DefenderMPLogProcessImageRecord(**data)
+
+    def _mplog_minfiluss(self, data: dict) -> Iterator[DefenderMPLogMinFilUSSRecord]:
+        yield DefenderMPLogMinFilUSSRecord(**data)
+
+    def _mplog_blockedfile(self, data: dict) -> Iterator[DefenderMPLogMinFilBlockedFileRecord]:
+        yield DefenderMPLogMinFilBlockedFileRecord(**data)
+
+    def _mplog_bmtelemetry(self, data: dict) -> Iterator[DefenderMPLogBMTelemetryRecord]:
+        data["ts"] = datetime.strptime(data["ts"], "%m-%d-%Y %H:%M:%S")
+        yield DefenderMPLogBMTelemetryRecord(**data)
+
+    def _mplog_ems(self, data: dict) -> Iterator[DefenderMPLogEMSRecord]:
+        yield DefenderMPLogEMSRecord(**data)
+
+    def _mplog_originalfilename(self, data: dict) -> Iterator[DefenderMPLogOriginalFileNameRecord]:
+        yield DefenderMPLogOriginalFileNameRecord(**data)
+
+    def _mplog_exclusion(self, data: dict) -> Iterator[DefenderMPLogExclusionRecord]:
+        yield DefenderMPLogExclusionRecord(**data)
+
+    def _mplog_lowfi(self, data: dict) -> Iterator[DefenderMPLogLowfiRecord]:
+        yield DefenderMPLogLowfiRecord(**data)
+
+    def _mplog_detectionadd(self, data: dict) -> Iterator[DefenderMPLogDetectionAddRecord]:
+        yield DefenderMPLogDetectionAddRecord(**data)
+
+    def _mplog_threat(self, data: dict) -> Iterator[DefenderMPLogThreatRecord]:
+        yield DefenderMPLogThreatRecord(**data)
+
+    def _mplog_resourcescan(self, data: dict) -> Iterator[DefenderMPLogResourceScanRecord]:
+        data["start_time"] = datetime.strptime(data["start_time"], "%m-%d-%Y %H:%M:%S")
+        data["end_time"] = datetime.strptime(data["end_time"], "%m-%d-%Y %H:%M:%S")
+        data["ts"] = data["start_time"]
+        rest = data.pop("rest")
+        yield DefenderMPLogResourceScanRecord(
+            threats=re.findall("Threat Name:([^\n]+)", rest),
+            resources=re.findall("Resource Path:([^\n]+)", rest),
+            **data,
+        )
+
+    def _mplog_threataction(self, data: dict) -> Iterator[DefenderMPLogThreatActionRecord]:
+        data["ts"] = datetime.strptime(data["ts"], "%m-%d-%Y %H:%M:%S")
+        rest = data.pop("rest")
+        yield DefenderMPLogThreatActionRecord(
+            threats=re.findall("Threat Name:([^\n]+)", rest),
+            resources=re.findall("(?:Path|File Name):([^\n]+)", rest),
+            actions=re.findall("Action:([^\n]+)", rest),
+            **data,
+        )
+
+    def _mplog_rtp_log(self, data: dict) -> Iterator[DefenderMPLogRTPRecord]:
+        times = {}
+        for dtkey in ["ts", "last_perf", "first_rtp_scan"]:
+            try:
+                times[dtkey] = datetime.strptime(data[dtkey], "%m-%d-%Y %H:%M:%S")
+            except ValueError:
+                pass
+
+        yield DefenderMPLogRTPRecord(
+            _target=self.target,
+            source_log=data["source_log"],
+            **times,
+            plugin_states=re.findall(r"^\s+(.*)$", data["plugin_states"])[0],
+            process_exclusions=re.findall(DEFENDER_MPLOG_LINE, data["process_exclusions"]),
+            path_exclusions=re.findall(DEFENDER_MPLOG_LINE, data["path_exclusions"]),
+            ext_exclusions=re.findall(DEFENDER_MPLOG_LINE, data["ext_exclusions"]),
+        )
+
+    def _mplog_detectionevent(self, data: dict) -> Iterator[DefenderMPLogDetectionEventRecord]:
+        yield DefenderMPLogDetectionEventRecord(**data)
+
+    def _mplog_line(
+        self, mplog_line: str, source: Path
+    ) -> Iterator[
+        DefenderMPLogProcessImageRecord
+        | DefenderMPLogMinFilUSSRecord
+        | DefenderMPLogMinFilBlockedFileRecord
+        | DefenderMPLogEMSRecord
+        | DefenderMPLogOriginalFileNameRecord
+        | DefenderMPLogExclusionRecord
+        | DefenderMPLogLowfiRecord
+        | DefenderMPLogDetectionAddRecord
+        | DefenderMPLogThreatRecord
+        | DefenderMPLogDetectionEventRecord
+    ]:
+        for pattern, record in DEFENDER_MPLOG_PATTERNS:
+            if match := pattern.match(mplog_line):
+                data = match.groupdict()
+                data["_target"] = self.target
+                data["source_log"] = source
+                yield from getattr(self, f"_mplog_{record.name.split('/')[-1:][0]}")(data)
+
+    def _mplog_block(
+        self, mplog_line: str, mplog: TextIO, source: Path
+    ) -> Iterator[DefenderMPLogResourceScanRecord | DefenderMPLogThreatActionRecord | DefenderMPLogRTPRecord]:
+        block = ""
+        for prefix, suffix, pattern, record in DEFENDER_MPLOG_BLOCK_PATTERNS:
+            if prefix.search(mplog_line):
+                block += mplog_line
+                break
+        if block:
+            while mplog_line := mplog.readline():
+                block += mplog_line
+                if suffix.search(mplog_line):
+                    break
+            match = pattern.match(block)
+            data = match.groupdict()
+            data["_target"] = self.target
+            data["source_log"] = source
+            yield from getattr(self, f"_mplog_{record.name.split('/')[-1:][0]}")(data)
+
+    def _mplog(
+        self, mplog: TextIO, source: Path
+    ) -> Iterator[
+        DefenderMPLogProcessImageRecord
+        | DefenderMPLogMinFilUSSRecord
+        | DefenderMPLogMinFilBlockedFileRecord
+        | DefenderMPLogBMTelemetryRecord
+        | DefenderMPLogEMSRecord
+        | DefenderMPLogOriginalFileNameRecord
+        | DefenderMPLogExclusionRecord
+        | DefenderMPLogLowfiRecord
+        | DefenderMPLogDetectionAddRecord
+        | DefenderMPLogThreatRecord
+        | DefenderMPLogDetectionEventRecord
+        | DefenderMPLogResourceScanRecord
+        | DefenderMPLogThreatActionRecord
+        | DefenderMPLogRTPRecord
+    ]:
+        while mplog_line := mplog.readline():
+            yield from self._mplog_line(mplog_line, source)
+            yield from self._mplog_block(mplog_line, mplog, source)
+
+    @plugin.export(
+        record=[
+            DefenderMPLogProcessImageRecord,
+            DefenderMPLogMinFilUSSRecord,
+            DefenderMPLogMinFilBlockedFileRecord,
+            DefenderMPLogBMTelemetryRecord,
+            DefenderMPLogEMSRecord,
+            DefenderMPLogOriginalFileNameRecord,
+            DefenderMPLogExclusionRecord,
+            DefenderMPLogLowfiRecord,
+            DefenderMPLogDetectionAddRecord,
+            DefenderMPLogThreatRecord,
+            DefenderMPLogDetectionEventRecord,
+            DefenderMPLogResourceScanRecord,
+            DefenderMPLogThreatActionRecord,
+            DefenderMPLogRTPRecord,
+        ]
+    )
+    def mplog(
+        self,
+    ) -> Iterator[
+        DefenderMPLogProcessImageRecord
+        | DefenderMPLogMinFilUSSRecord
+        | DefenderMPLogMinFilBlockedFileRecord
+        | DefenderMPLogBMTelemetryRecord
+        | DefenderMPLogEMSRecord
+        | DefenderMPLogOriginalFileNameRecord
+        | DefenderMPLogExclusionRecord
+        | DefenderMPLogLowfiRecord
+        | DefenderMPLogDetectionAddRecord
+        | DefenderMPLogThreatRecord
+        | DefenderMPLogDetectionEventRecord
+        | DefenderMPLogResourceScanRecord
+        | DefenderMPLogThreatActionRecord
+        | DefenderMPLogRTPRecord
+    ]:
+        """Return the contents of the Defender MPLog file.
+
+        References:
+            - https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/
+            - https://www.intrinsec.com/hunt-mplogs/
+            - https://github.com/Intrinsec/mplog_parser
+        """
+        mplog_directory = self.target.fs.path(DEFENDER_MPLOG_DIR)
+
+        if not (mplog_directory.exists() and mplog_directory.is_dir()):
+            return
+
+        for mplog_file in mplog_directory.glob("MPLog-*"):
+            for encoding in ["UTF-16", "UTF-8"]:
+                try:
+                    with mplog_file.open("rt", encoding=encoding) as mplog:
+                        yield from self._mplog(mplog, self.target.fs.path(mplog_file))
+                    break
+                except UnicodeError:
+                    continue
+
     @plugin.arg(
         "--output",
         "-o",

dissect/target/plugins/os/windows/defender_helpers/defender_patterns.py

@@ -0,0 +1,282 @@
+import re
+
+from dissect.target.plugins.os.windows.defender_helpers.defender_records import (
+    DefenderMPLogBMTelemetryRecord,
+    DefenderMPLogDetectionAddRecord,
+    DefenderMPLogDetectionEventRecord,
+    DefenderMPLogEMSRecord,
+    DefenderMPLogExclusionRecord,
+    DefenderMPLogLowfiRecord,
+    DefenderMPLogMinFilBlockedFileRecord,
+    DefenderMPLogMinFilUSSRecord,
+    DefenderMPLogOriginalFileNameRecord,
+    DefenderMPLogProcessImageRecord,
+    DefenderMPLogResourceScanRecord,
+    DefenderMPLogRTPRecord,
+    DefenderMPLogThreatActionRecord,
+    DefenderMPLogThreatRecord,
+)
+
+DEFENDER_MPLOG_TS_PATTERN = r"(?P<ts>[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}Z) "
+
+# Loosely based on https://github.com/Intrinsec/mplog_parser but feel free to add patterns
+
+DEFENDER_MPLOG_PATTERNS = [
+    # Process Image
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r"ProcessImageName: (?P<process_image_name>.*), ",
+                    r"Pid: (?P<pid>\d*), ",
+                    r"TotalTime: (?P<total_time>\d*), ",
+                    r"Count: (?P<count>\d*), ",
+                    r"MaxTime: (?P<max_time>\d*), ",
+                    r"MaxTimeFile: (?P<max_time_file>.*), ",
+                    r"EstimatedImpact: (?P<estimated_impact>\d*)",
+                ]
+            )
+        ),
+        DefenderMPLogProcessImageRecord,
+    ),
+    # Mini-filter Unsuccessful scan status
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r"\[Mini-filter\] (Unsuccessful scan status)[^:]*: (?P<path>.+) ",
+                    r"Process: (?P<process>.+), ",
+                    r"Status: (?P<status>.+), ",
+                    r"State: (?P<state>.+), ",
+                    r"ScanRequest (?P<scan_request>.+), ",
+                    r"FileId: (?P<file_id>.+), ",
+                    r"Reason: (?P<reason>.+), ",
+                    r"IoStatusBlockForNewFile: (?P<io_status_block_for_new_file>.+), ",
+                    r"DesiredAccess:(?P<desired_access>.+), ",
+                    r"FileAttributes:(?P<file_attributes>.+), ",
+                    r"ScanAttributes:(?P<scan_attributes>.+), ",
+                    r"AccessStateFlags:(?P<access_state_flags>.+), ",
+                    r"BackingFileInfo: (?P<backing_file_info>.+)",
+                ]
+            )
+        ),
+        DefenderMPLogMinFilUSSRecord,
+    ),
+    # EMS Scan
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r".*",
+                    r"process: (?P<process>\w*) ",
+                    r"pid: (?P<pid>\d*), ",
+                    r"sigseq: (?P<sigseq>\w*), ",
+                    r"sendMemoryScanReport: (?P<send_memory_scan_report>\d*), ",
+                    r"source: (?P<source>\d*)",
+                ]
+            )
+        ),
+        DefenderMPLogEMSRecord,
+    ),
+    # Original filename
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r".*",
+                    r"original file name \"(?P<original_file_name>.*)\" ",
+                    r"for \"(?P<full_path>.*)\", ",
+                    r"hr=(?P<hr>\w*)",
+                ]
+            )
+        ),
+        DefenderMPLogOriginalFileNameRecord,
+    ),
+    # Mini-filter Blocked file
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r".*",
+                    r"\[Mini-filter\] Blocked file: (?P<blocked_file>.+) ",
+                    r"Process: (?P<process>.+), ",
+                    r"Status: (?P<status>.+), ",
+                    r"State: (?P<state>.+), ",
+                    r"ScanRequest (?P<scan_request>.+), ",
+                    r"FileId: (?P<file_id>.+), ",
+                    r"Reason: (?P<reason>.+), ",
+                    r"IoStatusBlockForNewFile: (?P<io_status_block_for_new_file>.+), ",
+                    r"DesiredAccess:(?P<desired_access>.+), ",
+                    r"FileAttributes:(?P<file_attributes>.+), ",
+                    r"ScanAttributes:(?P<scan_attributes>.+), ",
+                    r"AccessStateFlags:(?P<access_state_flags>.+), ",
+                    r"BackingFileInfo: (?P<backing_file_info>.+)",
+                ]
+            )
+        ),
+        DefenderMPLogMinFilBlockedFileRecord,
+    ),
+    # Exclusion
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r"\[Exclusion\] (?P<full_path_with_drive_letter>.+) ",
+                    r"-> (?P<full_path_with_device_path>.+)",
+                ]
+            )
+        ),
+        DefenderMPLogExclusionRecord,
+    ),
+    # Lowfi
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r".*",
+                    r"lowfi: (?P<lowfi>.+)",
+                ]
+            )
+        ),
+        DefenderMPLogLowfiRecord,
+    ),
+    # Detection add
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r".*",
+                    r"DETECTION_ADD\S* (?P<detection>.*)",
+                ]
+            )
+        ),
+        DefenderMPLogDetectionAddRecord,
+    ),
+    # Threat
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r".*",
+                    r"threat: (?P<threat>.*)",
+                ]
+            )
+        ),
+        DefenderMPLogThreatRecord,
+    ),
+    # Detection event
+    (
+        re.compile(
+            "".join(
+                [
+                    DEFENDER_MPLOG_TS_PATTERN,
+                    r".*",
+                    r"DETECTIONEVENT MPSOURCE_\S+ HackTool:(?P<threat_type>.*) file:(?P<command>.*)",
+                ]
+            )
+        ),
+        DefenderMPLogDetectionEventRecord,
+    ),
+]
+
+
+DEFENDER_MPLOG_BLOCK_PATTERNS = [
+    (
+        re.compile(r"Begin Resource Scan"),
+        re.compile(r"End Scan"),
+        re.compile(
+            "".join(
+                [
+                    r"Begin Resource Scan.*\n",
+                    r"Scan ID:(?P<scan_id>[^\n]+)\n",
+                    r"Scan Source:(?P<scan_source>\d+)\n",
+                    r"Start Time:(?P<start_time>[0-9\-\:\s]*)\n",
+                    r"End Time:(?P<end_time>[0-9\-\:\s]*)\n",
+                    r".*",
+                    r"Resource Schema:(?P<resource_schema>[^\n]+)\n",
+                    r"Resource Path:(?P<resource_path>[^\n]+)\n",
+                    r"Result Count:(?P<result_count>\d+)\n",
+                    r"(?P<rest>.*)\n",
+                    r"End Scan",
+                ]
+            ),
+            re.MULTILINE | re.DOTALL,
+        ),
+        DefenderMPLogResourceScanRecord,
+    ),
+    # Threat actions
+    (
+        re.compile(r"Beginning threat actions"),
+        re.compile(r"Finished threat actions"),
+        re.compile(
+            "".join(
+                [
+                    r"Beginning threat actions\n",
+                    r"Start time:(?P<ts>[0-9\-\:\s]*)\n",
+                    r"(?P<rest>.*)\n",
+                    r"Finished threat actions",
+                ]
+            ),
+            re.MULTILINE | re.DOTALL,
+        ),
+        DefenderMPLogThreatActionRecord,
+    ),
+    # RTP
+    (
+        re.compile(r"\*\*RTP Perf Log\*\*"),
+        re.compile(r"\*\*END RTP Perf Log\*\*"),
+        re.compile(
+            "".join(
+                [
+                    r"\*+RTP Perf Log\*+\n",
+                    r"RTP Start:(?P<ts>.*)\n",
+                    r"Last Perf:(?P<last_perf>.*)\n",
+                    r"First RTP Scan:(?P<first_rtp_scan>.*)\n",
+                    r"Plugin States:(?P<plugin_states>.*)\n",
+                    r"Process Exclusions:\n(?P<process_exclusions>.*)",
+                    r"Path Exclusions:\n(?P<path_exclusions>.*)",
+                    r"Ext Exclusions:\n(?P<ext_exclusions>.*)",
+                    r"Worker Threads",
+                ]
+            ),
+            re.MULTILINE | re.DOTALL,
+        ),
+        DefenderMPLogRTPRecord,
+    ),
+    # BM Telemetry (block)
+    (
+        re.compile(r"BEGIN BM telemetry"),
+        re.compile(r"END BM telemetry"),
+        re.compile(
+            "".join(
+                [
+                    r"BEGIN BM telemetry\n",
+                    r"(GUID):(?P<guid>.+)\n",
+                    r"(SignatureID):(?P<signature_id>.+)\n",
+                    r"(SigSha):(?P<sigsha>.+)\n",
+                    r"(ThreatLevel):(?P<threat_level>.+)\n",
+                    r"(ProcessID):(?P<process_id>.+)\n",
+                    r"(ProcessCreationTime):(?P<process_creation_time>.+)\n",
+                    r"(SessionID):(?P<session_id>.+)\n",
+                    r"(CreationTime):(?P<ts>.+)\n",
+                    r"(ImagePath):(?P<image_path>.+)\n",
+                    r"(Taint Info):(?P<taint_info>.+)\n",
+                    r"(Operations):(?P<operations>.+)\n",
+                    r"END BM telemetry",
+                ]
+            )
+        ),
+        DefenderMPLogBMTelemetryRecord,
+    ),
+]
+
+DEFENDER_MPLOG_LINE = re.compile(r"^\s+(.*)$", re.MULTILINE)

dissect/target/plugins/os/windows/defender_helpers/defender_records.py

@@ -0,0 +1,191 @@
+from dissect.target.helpers.record import TargetRecordDescriptor
+
+DefenderMPLogProcessImageRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/processimage",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "process_image_name"),
+        ("varint", "pid"),
+        ("varint", "total_time"),
+        ("varint", "count"),
+        ("varint", "max_time"),
+        ("string", "max_time_file"),
+        ("varint", "estimated_impact"),
+    ],
+)
+
+DefenderMPLogMinFilUSSRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/minfiluss",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("path", "path"),
+        ("string", "process"),
+        ("string", "status"),
+        ("string", "state"),
+        ("string", "scan_request"),
+        ("string", "file_id"),
+        ("string", "reason"),
+        ("string", "io_status_block_for_new_file"),
+        ("string", "desired_access"),
+        ("string", "file_attributes"),
+        ("string", "scan_attributes"),
+        ("string", "access_state_flags"),
+        ("string", "backing_file_info"),
+    ],
+)
+
+DefenderMPLogMinFilBlockedFileRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/blockedfile",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "blocked_file"),
+        ("string", "process"),
+        ("string", "status"),
+        ("string", "state"),
+        ("string", "scan_request"),
+        ("string", "file_id"),
+        ("string", "reason"),
+        ("string", "io_status_block_for_new_file"),
+        ("string", "desired_access"),
+        ("string", "file_attributes"),
+        ("string", "scan_attributes"),
+        ("string", "access_state_flags"),
+        ("string", "backing_file_info"),
+    ],
+)
+
+
+DefenderMPLogBMTelemetryRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/bmtelemetry",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "guid"),
+        ("varint", "signature_id"),
+        ("string", "sigsha"),
+        ("varint", "threat_level"),
+        ("varint", "process_id"),
+        ("varint", "process_creation_time"),
+        ("varint", "session_id"),
+        ("path", "image_path"),
+        ("string", "taint_info"),
+        ("string", "operations"),
+    ],
+)
+
+DefenderMPLogEMSRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/ems",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "process"),
+        ("varint", "pid"),
+        ("string", "sigseq"),
+        ("varint", "send_memory_scan_report"),
+        ("varint", "source"),
+    ],
+)
+
+DefenderMPLogOriginalFileNameRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/originalfilename",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "original_file_name"),
+        ("path", "full_path"),
+        ("string", "hr"),
+    ],
+)
+
+DefenderMPLogExclusionRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/exclusion",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("path", "full_path_with_drive_letter"),
+        ("path", "full_path_with_device_path"),
+    ],
+)
+
+DefenderMPLogLowfiRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/lowfi",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("command", "lowfi"),
+    ],
+)
+
+DefenderMPLogDetectionAddRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/detectionadd",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "detection"),
+    ],
+)
+
+
+DefenderMPLogThreatRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/threat",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("command", "threat"),
+    ],
+)
+
+DefenderMPLogDetectionEventRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/detectionevent",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "threat_type"),
+        ("command", "command"),
+    ],
+)
+
+DefenderMPLogResourceScanRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/resourcescan",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "scan_id"),
+        ("varint", "scan_source"),
+        ("datetime", "start_time"),
+        ("datetime", "end_time"),
+        ("string", "resource_schema"),
+        ("path", "resource_path"),
+        ("varint", "result_count"),
+        ("string[]", "threats"),
+        ("path[]", "resources"),
+    ],
+)
+
+DefenderMPLogThreatActionRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/threataction",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string[]", "threats"),
+        ("path[]", "resources"),
+        ("string[]", "actions"),
+    ],
+)
+
+DefenderMPLogRTPRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/rtp_log",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("datetime", "last_perf"),
+        ("datetime", "first_rtp_scan"),
+        ("string", "plugin_states"),
+        ("path[]", "process_exclusions"),
+        ("path[]", "path_exclusions"),
+        ("string[]", "ext_exclusions"),
+    ],
+)

{dissect.target-3.18.dev9.dist-info → dissect.target-3.18.dev10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.18.dev9
+Version: 3.18.dev10
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.18.dev9.dist-info → dissect.target-3.18.dev10.dist-info}/RECORD

@@ -262,7 +262,7 @@ dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqO
 dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
 dissect/target/plugins/os/windows/credhist.py,sha256=YSjuyd53Augdy_lKKzZHtx5Ozt0HzF6LDYIOb-8P1Pw,7058
 dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1Ej-kfvEBmHbrdIGw,9467
-dissect/target/plugins/os/windows/defender.py,sha256=lHHhyi8YqNTmBu3qbH7yskMAYcarYouPxKtBQLtXnnE,23713
+dissect/target/plugins/os/windows/defender.py,sha256=VvcYsCc7gTJiz4LJotWqHU8k_4vo-mkCoBNx8bgtVEE,32608
 dissect/target/plugins/os/windows/env.py,sha256=-u9F9xWy6PUbQmu5Tv_MDoVmy6YB-7CbHokIK_T3S44,13891
 dissect/target/plugins/os/windows/generic.py,sha256=BSvDPfB9faU0uquMj0guw5tnR_97Nn0XAEE4k05BFSQ,22273
 dissect/target/plugins/os/windows/lnk.py,sha256=On1k0PODYggQM1j514qFepBACCV2Z2u61Q4Ba6e3Y2c,8179
@@ -280,6 +280,9 @@ dissect/target/plugins/os/windows/tasks.py,sha256=8DRsIAuIJPaH_G18l8RYfnK_WkEqVx
 dissect/target/plugins/os/windows/thumbcache.py,sha256=23YjOjTNoE7BYITmg8s9Zs8Wih2e73BkJJEaKlfotcI,4133
 dissect/target/plugins/os/windows/ual.py,sha256=TYF-R46klEa_HHb86UJd6mPrXwHlAMOUTzC0pZ8uiq0,9787
 dissect/target/plugins/os/windows/wer.py,sha256=ogecvKYxAvDXLptQj4cn0JLn1FxaXjeSuJWs4JgkoZs,8656
+dissect/target/plugins/os/windows/defender_helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/plugins/os/windows/defender_helpers/defender_patterns.py,sha256=xsZH0WqMX_mC1q55jgp4RDHBRh2UQBXZVhJD0DRiwZU,9329
+dissect/target/plugins/os/windows/defender_helpers/defender_records.py,sha256=_azaY5Y1cH-WPmkA5k94PMktZGYXmWJG8addFQxQ554,5177
 dissect/target/plugins/os/windows/dpapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/windows/dpapi/blob.py,sha256=j3MMROXroes7pr_VLt8Xv6WEpv19hlgDpOxOJyZMRvo,5044
 dissect/target/plugins/os/windows/dpapi/crypto.py,sha256=_F1F2j1chQw-KLqfWvgL2mCkF3HSvdVnM78OZ0ph9hc,9337
@@ -340,10 +343,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.18.dev9.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.18.dev9.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.18.dev9.dist-info/METADATA,sha256=MhwBgTsOJRxjOgDeAphefB5vGoY0YAaydMIelDhkiRE,12722
-dissect.target-3.18.dev9.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-dissect.target-3.18.dev9.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.18.dev9.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.18.dev9.dist-info/RECORD,,
+dissect.target-3.18.dev10.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.18.dev10.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.18.dev10.dist-info/METADATA,sha256=ccY-AXd6JQ_QbmuIHLJAyNRoeb8aWmrL8zSVqZqUNGg,12723
+dissect.target-3.18.dev10.dist-info/WHEEL,sha256=cpQTJ5IWu9CdaPViMhC9YzF8gZuS5-vlfoFihTBC86A,91
+dissect.target-3.18.dev10.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.18.dev10.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.18.dev10.dist-info/RECORD,,

{dissect.target-3.18.dev9.dist-info → dissect.target-3.18.dev10.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.43.0)
+Generator: setuptools (70.1.0)
 Root-Is-Purelib: true
 Tag: py3-none-any