Mon, Aug 23, 2021

EventTranscript.db and Security Events

Security events and system health information related to the status of firewall and antivirus services are recorded in EventTranscript.db. Since threat actors typically modify these system settings, this data can be critical for establishing a coherent timeline and sequence of events that occurred during an incident. Furthermore, in the face of Event Log clearing, EventTranscript.db provides actionable items to assist in the investigation. To begin, disable various Windows security settings through the Windows Security GUI or command line (Figure 1).

EventTranscript.db and Security Events

Figure 1: Disabled Windows Defender and Firewall

The changes to the services can be seen with the telemetry event: Microsoft.Windows.Defender.Shield.ShieldHeartbeat. Figure 2 shows the statuses of the different components when in a default configuration.

EventTranscript.db and Security Events

Figure 2: Security-Enabled Event Contents

With the settings disabled, Figure 3 shows how the values change. (Note: Firewall is not disabled in this screenshot.)

Figure 3: Security-Disabled Event Contents

As shown in Figure 3, when protections are disabled, the corresponding value changes in the event from GREEN to RED.

When Windows Defender is enabled, the telemetry event, Microsoft.Windows.Security.WSC.EnableDefender is fired (Figure 4). This event signals that Windows Defender is enabled with the enable key.

EventTranscript.db and Security Events

Figure 4: Defender-Enabled Event

Also, periodic service status events are triggered with the event name: Microsoft.Windows.Inventory.General.InventoryMiscellaneousServiceAdd (Figure 5). This event will show the execution status of the different services.

EventTranscript.db and Security Events

Figure 5: Service State Running

Disabling services will cause the event to change the State value (Figure 6).

EventTranscript.db and Security Events

Figure 6: Service State Stopped

The type of installed antivirus software can be determined with the DisplayName and ProductState values found in the telemetry event: Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntivirusInformationAdd (Figure 7).

EventTranscript.db and Security Events

Figure 7: Antivirus Type

The ProductState value corresponds to the numerical identifier given for the installed antivirus software product and the product update status. This value corresponds to WSC_SECURITY_PRODUCT_STATE enum accessible via the IWscProduct interface.

Version information for the antivirus software signature database used by Windows Defender can be found in the telemetry event: Microsoft.Windows.Inventory.General.InventoryMiscellaneous.UUPInfoAdd (Figure 8).

EventTranscript.db and Security Events

Figure 8: Defender Signature Version Event

In Figure 8, the Version key identifies the version of the antivirus software database as 1.341.842.0. This can be found with the PowerShell cmdlet: Get-MpComputerStatus (Figure 9).

EventTranscript.db and Security Events

Figure 9: Defender Signature Version PowerShell

Finally, the status of Windows Defender updates can be seen through the SoftwareUpdateClientTelemetry.CheckForUpdates event. As shown in Figure 10, Windows Defender failed to update itself and reported a StatusCode of 0x8024402c. This value is used for network connection failures. (Note: The network connection was disabled for this test.)

EventTranscript.db and Security Events

Figure 10: Defender Update Failure

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.