Tuesday, July 23, 2024

Windows Defender Quarantine Folder Metadata Recovered for Forensic Investigations

Windows Defender is a built-in antivirus and anti-malware software developed by Microsoft for Windows operating systems. 

It provides real-time protection against various threats, including:-

  • Viruses
  • Spyware
  • Ransomware

Cybersecurity researchers at Fox-IT recently discovered that revived Windows Defender Quarantine folder metadata helps in boosting forensic investigations.

Windows Defender Quarantine Folder Metadata

In incident response, researchers often confront triggered antivirus apps like Windows Defender. Threat actors either disable it or try to evade detection. Windows Defender’s quarantine folder is crucial for digital forensics, revealing:-

  • Timestamps
  • Locations
  • File signatures

The intact quarantine folder offers valuable forensic insights even if threat actors erase Windows Event logs. Recovering files from quarantine helps reverse engineering. 

While scripts exist for recovery, but security analysts’ research unveils previously unknown metadata, reducing uncertainties in forensic investigations.

Researchers delved into Windows Defender internals, consulting Florian Bauchs’ whitepaper and other GitHub scripts. Existing tools left significant data unparsed, hinting at undiscovered forensic artifacts. 

Windows Defender encrypts files with a hardcoded RC4 key from mpengine.dll. Using public scripts and Bauch’s whitepaper, researchers loaded mpengine.dll into IDA, leveraging Microsoft’s symbol server for a head start on functions and structures.

Researchers started with the QuarantineEntry file to recover its structure for valuable metadata. Unlike one RC4 cipherstream, this file has three individually encrypted chunks, referred to as:-

  • QuarantineEntryFileHeader
  • QuarantineEntrySection1
  • QuarantineEntrySection2
Overview of a QuarantineEntry (Source - Fox IT)
Overview of a QuarantineEntry (Source – Fox IT)

Analyzing mpengine.dll in IDA, the QexQuarantine::CQexQuaEntry::Commit function determines QuarantineEntrySection1 and QuarantineEntrySection2 contents. The PDB lacks details on the CQexQuaEntry class, but field derivation is possible from associated function names. 

Key fields like Id, ScanId, ThreatId, ThreatName, and Time are crucial. Section1 size, set in the function, includes ThreatName length plus 53 bytes, labeled as ‘One’ for now due to uncertainty. Likely a boolean value, its purpose within QexQuarantine::CQexQuaEntry::Commit remains unknown.

QuarantineEntrySection2 includes the count of QuarantineEntryResource objects and their offsets within the QuarantineEntry structure. 

While typically, one threat corresponds to one QuarantineEntryResource, scenarios like unpacking a ZIP with multiple threats can have multiple resources within a single QuarantineEntry.

To parse QuarantineEntryResource instances, experts examine the CQexQuaResource::ToBinary function. This function, handling binary output for forensic recovery, features loops similar to ThreatName serialization. 

The loops reserve space in the output buffer for UTF-16 encoded DetectionPath and DetectionType, which are crucial components observed in decrypted QuarantineEntry files.

File recovery steps

File recovery includes the following three steps:-

  • Step one: eyeball hexdumps
  • Step two: open IDA
  • Step three: RTFM

Besides this, reverse engineering mpengine.dll revealed valuable insights into Windows Defender’s quarantine process, leading to the discovery of undocumented metadata. This uncovered the following additional details that enhance the digital forensics capabilities:-

  • Timestamps
  • NTFS data streams

The research also illustrates Defender’s use of BackupRead functionality to preserve NTFS file data streams. Implementing findings in a Dissect framework plugin enhances code readability and verifiability.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles