A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.

Last update: Oct 30, 2022

Overview

The files parsed by this application may be found on any Windows system, if they exist, under [root]\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory[numbered folder][File GUID]

NOTES

The file header should be of the form: b'0800000008', or else it is not a valid DetectionHistory file.
Immediately following the file header and before the first mention of "Magic Version", the GUID of the file is given in Big-Endian(?) representation, capped off by a b'24' at the end, signaling the end of the GUID and beginning of the DetectionHistory data.
ThreatTrackingStartTime and all other timestamps are in FILETIME structure (UTC)

Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a local folder

Ingestinator Ingestinator is my personal VFX pipeline tool for ingesting folders containing frame sequences that have been pulled and downloaded to a

2 Nov 18, 2022

Convert a .vcf file to 'aa_table.tsv', including depth & alt frequency info

Produce an 'amino acid table' file from a vcf, including depth and alt frequency info.

1 Oct 16, 2021

Generating rent availability info from Effort rent

Rent-info Generating rent availability info from Effort rent Pre-Installation Latest version of python Pip module json, os, requests, datetime, time i

1 Oct 20, 2021

SimBiber - A tool for simplifying bibtex with official info

SimBiber: A tool for simplifying bibtex with official info. We often need to sim

336 Jan 2, 2023

GDIT: Geometry Dash Info Tool

GDIT: Geometry Dash Info Tool This is the first large script that allows you to quickly get information from the Geometry Dash server

2 Jan 9, 2022

A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars #poweredbySUSE

SUSE-udacity-cloud-native-scholarship A repository containing useful resources needed to complete the SUSE Scholarship Challenge #UdacitySUSEScholars

11 Dec 2, 2021

This program generates automatically new folders containing old version of program

Automated Folder Versions Generator by Sergiy Grimoldi - V.0.0.2 This program generates automatically new folders containing old version of something

1 Dec 23, 2021

:snake: Complete C99 parser in pure Python

pycparser v2.20 Contents 1 Introduction 1.1 What is pycparser? 1.2 What is it good for? 1.3 Which version of C does pycparser support? 1.4 What gramma

2.8k Dec 29, 2022

A Gura parser implementation for Python

Gura parser This repository contains the implementation of a Gura format parser in Python. Installation pip install gura-parser Usage import gura gur

19 Jan 25, 2022

Comments

Find it frustrating that the documentation doesn't give a single example of a minimal command to try
Based on reading the readme along with the help message that prints when I try to run the exe, I imagine the usage would be something like:

./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\' -r -o './results.txt'

...if I just want to recursively parse any files in the default directory. But rather, I just get a somewhat unhelpful error message:

usage: dhparser.exe [-h] -f FILE [-g] -o OUTPUT [-r] [-s] [-v] dhparser.exe: error: the following arguments are required: -o/--output

However, I've included the options. I just clearly don't understand how to correctly use them. Maybe I missed something obvious in the documentation, but either way I think it would be better practice to have at least one example of a command to try out the tool.

Edit: That said, thanks for contributing your time toward an open source tool.
opened by jt0dd 5
Create Velociraptor Artifact DefenderDHParser.yaml

This Velociraptor artifact leverages Windows Defender DetectionHistory tool to parse and return the parameters of Windows Defender detections contained in Detection History files.

opened by eduardomcm 1
ERROR: ||[Errno 21] Is a directory

More detail :'/'|| caught in /. Moving on to next file... 1 of 1 DetectionHistory files found were successfully parsed, with output written to "op.txt" in 0.023249847 seconds.

I am getting this error when I try to run the script python3 dhparser.py -f /home/kali/Desktop/0.exe.zip -o op.txt even the output file is not generated
bug

opened by v3daxt 1
Please double check your research findings

From README

The creation of these files is an after-product of Windows Defender's real-time/cloud-delivered protection(RTP) blocking threats such as Potentially Unwanted Applications (PUAs), viruses, worms, trojans, etc.

The files appear to be generated even with cloud-delivered protection turned off.

The file begins with a header, 0x0800000008, taking up the first 5 bytes in every known scenario

There are files under the MputHistory directory that start with the same 5 bytes that contain different information. So it does not look like to be a "signature" (as in something that uniquely identifies the DetectionHistory files)

opened by joachimmetz 3

Releases(v1.0.1)

v1.0.1(Jan 26, 2022)

A release centered around community feedback- fixed bugs, increased user friendliness, and more documentation!
Source code(tar.gz)
Source code(zip)
v1.0(Jan 12, 2022)

Official release of the DetectionHistory Parser, featuring documentation on a brand new artifact, fleshed out features, and multiple options to tailor the experience.
Source code(tar.gz)
Source code(zip)

Owner

Jordan Klepser

Digital Forensics Analyst, Threat Hunter, Machine Learning Enthusiast, Factoid Purveyor

GitHub Repository

Pre-crisis Risk Management for Personal Finance

Антикризисный риск-менеджмент личных финансов Риск-менеджмент личных финансов условиях санкций и/или финансового кризиса: делаем сегодня все, чтобы за

593 Jan 09, 2023

LanguageCreator - Simple library for easy creation transpilator.

LanguageCreator - Simple library for easy creation transpilator. Create transpilators in one hour! Install. Download code, rename folder to "LanguageC

2 Dec 31, 2021

This repository is an archive of emails that are sent by the awesome Quincy Larson every week.

Awesome Quincy Larson Email Archive This repository is an archive of emails that are sent by the awesome Quincy Larson every week. If you fi

912 Jan 05, 2023

Script that creates graphical representations of Julia an Mandelbrot sets.

Julia and Mandelbrot Picture Maker This simple functions create simple plots of the Julia and Mandelbrot sets. The Julia set require the important par

1 Jan 10, 2022

An optional component handler for hikari, inspired by discord.py's views.

hikari-miru An optional component handler for hikari, inspired by discord.py's views.

43 Dec 26, 2022

MDAnalysis tool to calculate membrane curvature.

The MDAkit for membrane curvature analysis is part of the Google Summer of Code program and it is linked to a Code of Conduct.

19 Oct 20, 2022

tetrados is a tool to generate a density of states using the linear tetrahedron method from a band structure.

tetrados tetrados is a tool to generate a density of states using the linear tetrahedron method from a band structure. Currently, only VASP calculatio

1 Dec 21, 2021

COVID-19 case tracker in Dash

covid_dashy_personal This is a personal project to build a simple COVID-19 tracker for Australia with Dash. Key functions of this dashy will be to Dis

1 Nov 30, 2021

Paxos in Python, tested with Jepsen

Python implementation of Multi-Paxos with a stable leader and reconfiguration, roughly following "Paxos Made Moderately Complex". Run python3 paxos/st

25 Dec 15, 2022

Modern robots.txt Parser for Python

Robots Exclusion Protocol Parser for Python Robots.txt parsing in Python. Goals Fetching -- helper utilities for fetching and parsing robots.txts, inc

176 Dec 16, 2022

Mahadi-6 - This Is Bangladeshi All Sim 6 Digit Cloner Tools

BANGLADESHI ALL SIM 6 DIGIT CLONER TOOLS TOOLS $ apt update $ apt upgrade $ apt

2 Jan 23, 2022

Button paginator using discord_components

Button Paginator With discord-components Button paginator using discord_components Welcome! It's a paginator for discord-componets! Thanks to the orig

7 Feb 12, 2022

《赛马娘》（ウマ娘: Pretty Derby）辅助 🐎🖥 基于 auto-derby 可视化操作/设置启动器一键包

ok-derby 《赛马娘》（ウマ娘: Pretty Derby）辅助 🐎 🖥 基于 auto-derby 可视化操作/设置启动器一键包便捷，好用的 auto_derby 管理器！功能支持客户端 DMM （前台）实验性安卓 ADB 连接（后台）开发基于 1080x1920 分辨率

90 Jan 01, 2023

Spyware baseado em Python para Windows que registra como atividades da janela em primeiro plano, entradas do teclado.

Spyware baseado em Python para Windows que registra como atividades da janela em primeiro plano, entradas do teclado. Além disso, é capaz de fazer capturas de tela e executar comandos do shell em seg

1 Oct 29, 2021

Uma versão em Python/Ursina do aplicativo Real Drum (android).

Real Drum Descrição Esta é uma versão alternativa feita em Python com a engine Ursina do aplicatio Real Drum (presente no Google Play Store). Como exe

5 Aug 20, 2022

libvcs - abstraction layer for vcs, powers vcspull.

libvcs - abstraction layer for vcs, powers vcspull. Setup $ pip install libvcs Open up python: $ python # or for nice autocomplete and syntax highlig

46 Dec 14, 2022

Hexa is an advanced browser.It can carry out all the functions present in a browser.

Hexa is an advanced browser.It can carry out all the functions present in a browser.It is coded in the language Python using the modules PyQt5 and sys mainly.It is gonna get developed more in the fut

1 Dec 10, 2021

This is a repository built by the community for the community.

Nutshell Machine Learning Machines can see, hear and learn. Welcome to the future 🌍 The repository was built with a tree-like structure in mind, it c

82 Nov 18, 2022

How to create the game Rock, Paper, Scissors in Python

Rock, Paper, Scissors! If you want to learn how to do interactive games using Python, then this is great start for you. In this code, You will learn h

1 Dec 18, 2021

Convert ldapdomaindump to Bloodhound

ldd2bh Usage usage: ldd2bh.py [-h] [-i INPUT_FOLDER] [-o OUTPUT_FOLDER] [-a] [-u] [-c] [-g] [-d] Convert ldapdomaindump to Bloodhoun

64 Oct 30, 2022