EventTranscript and Security Events

Security events and system health information related to the status of firewall and antivirus services are recorded in EventTranscript.db. Since threat actors typically modify these system settings, this data can be critical for establishing a coherent timeline and sequence of events that occurred during an incident. Furthermore, in the face of Event Log clearing, EventTranscript.db provides actionable items to assist in the investigation. To begin, disable various Windows security settings through the Windows Security GUI or command line (Figure 1).

EventTranscript.db and Security Events

Figure 1: Disabled Windows Defender and Firewall

The changes to the services can be seen with the telemetry event: Microsoft.Windows.Defender.Shield.ShieldHeartbeat. Figure 2 shows the statuses of the different components when in a default configuration.

EventTranscript.db and Security Events

Figure 2: Security-Enabled Event Contents

With the settings disabled, Figure 3 shows how the values change. (Note: Firewall is not disabled in this screenshot.)

Figure 3: Security-Disabled Event Contents

As shown in Figure 3, when protections are disabled, the corresponding value changes in the event from GREEN to RED.

When Windows Defender is enabled, the telemetry event, Microsoft.Windows.Security.WSC.EnableDefender is fired (Figure 4). This event signals that Windows Defender is enabled with the enable key.

EventTranscript.db and Security Events

Figure 4: Defender-Enabled Event

Also, periodic service status events are triggered with the event name: Microsoft.Windows.Inventory.General.InventoryMiscellaneousServiceAdd (Figure 5). This event will show the execution status of the different services.

EventTranscript.db and Security Events

Figure 5: Service State Running

Disabling services will cause the event to change the State value (Figure 6).

EventTranscript.db and Security Events

Figure 6: Service State Stopped

The type of installed antivirus software can be determined with the DisplayName and ProductState values found in the telemetry event: Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntivirusInformationAdd (Figure 7).

EventTranscript.db and Security Events

Figure 7: Antivirus Type

The ProductState value corresponds to the numerical identifier given for the installed antivirus software product and the product update status. This value corresponds to WSC_SECURITY_PRODUCT_STATE enum accessible via the IWscProduct interface.

Version information for the antivirus software signature database used by Windows Defender can be found in the telemetry event: Microsoft.Windows.Inventory.General.InventoryMiscellaneous.UUPInfoAdd (Figure 8).

EventTranscript.db and Security Events

Figure 8: Defender Signature Version Event

In Figure 8, the Version key identifies the version of the antivirus software database as 1.341.842.0. This can be found with the PowerShell cmdlet: Get-MpComputerStatus (Figure 9).

EventTranscript.db and Security Events

Figure 9: Defender Signature Version PowerShell

Finally, the status of Windows Defender updates can be seen through the SoftwareUpdateClientTelemetry.CheckForUpdates event. As shown in Figure 10, Windows Defender failed to update itself and reported a StatusCode of 0x8024402c. This value is used for network connection failures. (Note: The network connection was disabled for this test.)

EventTranscript.db and Security Events

Figure 10: Defender Update Failure

EventTranscript.db and Security Events 2021-08-23T00:00:00.0000000 /en/insights/publications/cyber/forensically-unpacking-eventtranscript/eventtranscript-and-security-events /-/media/kroll/images/publications/kape-eventtrasncript-batch-2/feature-image/eventtranscript-and-security-events.jpg publication {E39587AD-8F0B-4FE2-865F-969BC5501096} {3A077BFC-C74A-40AF-A14C-13BCF6E3873E} {CE2347F0-D222-4014-BA97-6A415CC633DF} {2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130} {7A48DD95-1A63-4784-842F-A2BE81EAFE13} {09213578-A7CA-4DD8-AE97-7476022C89D6} {042F6B91-DC71-4D5F-BB23-BFA7E05A37CE}