Create Velociraptor Artifact DefenderDHParser.yaml

jklepsercyber / defender-detectionhistory-parser

A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables.

GNU General Public License v3.0

109 stars 14 forks source link

Create Velociraptor Artifact DefenderDHParser.yaml #6

Closed eduardomcm closed 2 years ago

eduardomcm commented 2 years ago

This Velociraptor artifact leverages Windows Defender DetectionHistory tool to parse and return the parameters of Windows Defender detections contained in Detection History files.

jklepsercyber commented 2 years ago

Great work!! Thanks so much for the value add.