Python tool to parse and decrypt files quarantined by windows defender. Useful for security analysts and incident responders looking to review the original file(s) windows defender alerted on.
Each file entry is parsed in memory returning the original hash of the quarantined file along with the original filepath and threat name given after detection. Optionally use the "-d" flag to dump files to a password protected .ZIP (infected) in their original form.
Standing on the shoulders of giants - This tool builds upon the amazing work of @knez and their defender-dump tool. Now functional against any target path, hashing entries in memory and optionally outputting to an encrypted .ZIP. RC4 decryption routine also forked from quarantine.py from the cuckoosandbox project.
Credit to knez, KillerInstinct, Optiv, Inc and OALabs for the work this tool builds upon.
After detection, a file is moved to the following path for quarantine:
C:\ProgramData\Microsoft\Windows Defender\Quarantine
- Detection metadata is stored in the 'Entries' subfolder
- The original file is encrypted and stored in the 'ResourceData' subfolder
Defender uses a hardcoded key to RC4 encrypt each file thus the operation can easily be reversed. To make use of this tool please retrieve the entire \Quarantine folder.
usage: WinDefReleaser.py [-h] [-d] [-o OUTPUT] [-m MODE] path
Windows Defender Releaser
positional arguments:
path input filepath, the 'Quarantine' folder you want to parse
optional arguments:
-h, --help show this help message and exit
-d, --dump decrypt and dump all entries into a pw protected .ZIP (pw: infected)
-o OUTPUT, --output OUTPUT
output folder path
-m MODE, --mode MODE hashing mode: md5/sha1/sha256, default is sha1
Example:
python WinDefReleaser.py /path/to/Quarantine -m sha256 -d -o /output/folder
