search

jklepsercyber / defender-detectionhistory-parser

A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.
GNU General Public License v3.0
109 stars 14 forks source link

Find it frustrating that the documentation doesn't give a single example of a minimal command to try #4

Closed jt0dd closed 2 years ago

jt0dd commented 2 years ago

Based on reading the readme along with the help message that prints when I try to run the exe, I imagine the usage would be something like:

./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\' -r -o './results.txt'

...if I just want to recursively parse any files in the default directory. But rather, I just get a somewhat unhelpful error message: 

usage: dhparser.exe [-h] -f FILE [-g] -o OUTPUT [-r] [-s] [-v]
dhparser.exe: error: the following arguments are required: -o/--output

However, I've included the options. I just clearly don't understand how to correctly use them. Maybe I missed something obvious in the documentation, but either way I think it would be better practice to have at least one example of a command to try out the tool.

Edit: That said, thanks for contributing your time toward an open source tool.

jt0dd commented 2 years ago

For anyone else with this error, I figured out that it's just not really recursive (which I think would mean it will search a directory and any child directories), you need to specify the directory down to the one that holds the files directly, like:

./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory' -r -o './results.txt'

jklepsercyber commented 2 years ago

Sorry to hear that- let me see what I can do regarding the documentation and this error. Thanks for your feedback, I'll be rolling out some improvements this weekend and can include this as well.

jklepsercyber commented 2 years ago

@jt0dd edit: solved this part. Find some other good data below:

I think pointing the tool at this folder causes Windows to actually check the permissions of your application, So in this case, you may actually need to copy out the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory directory to your Desktop, or other preferred location to run the parser. This is definitely worth including in the README.md as well, since it was included in the SANS blogpost.

Another improvement I'd like to make is actually specifying the option to output the JSON to a textfile, rather than individual JSON files, so your output arg brings another good point back up. Right now, I'm sure you noticed, but each output is actually written to individual JSON files inside the folder name specified on -o.

For transparency, I pushed the build I used to generate this output to develop. Let me know if your results change after doing that!

jklepsercyber commented 2 years ago

@jt0dd Quick update- looked further into this, and it's no error on your part of misusing arguments or misreading anything. It's actually an issue with how Bash, Python (and the argparse library) handle escaped characters, \' in this scenario. So, for instance... image fails to recognize the argument, while... image works just fine, reason being, \\ is just an escaped \ character. The issue is is that when parse_args() from argparse is called, that string is escaped, and parse_args() thinks you want to include everything after the escaped character into one argument. Then, your -o arg would never be recognized since it's just part of a big string. Mishandling escaped characters is a bit of a widespread issue, so for now, the best solution is to simply omit the final backslash in your filepath arguments, or to use \ throughout your filepath argument.

For anyone else with this error, I figured out that it's just not really recursive (which I think would mean it will search a directory and any child directories), you need to specify the directory down to the one that holds the files directly, like:

./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory' -r -o './results.txt'

For example, the above -f arg you provided does not include a \' on the end, where as

./dhparser.exe -f 'C:\ProgramData\Microsoft\Windows Defender\' -r -o './results.txt'

includes the escaped \', causing the error. Hopefully, there is some way to avoid this through input sanitization, but I'm not completely sure after a few attempts. There are a few solutions online that touch, but don't quite cover the issue with argparse we are looking at here. Will keep trying and keep you posted!

jt0dd commented 2 years ago

Thanks for looking into it. Anyhow, once again thanks for contributing to the cybersec community. This is just one more useful tool in the kit.