Security events and system health information related to the status of firewall and antivirus services are recorded in EventTranscript.db. Since threat actors typically modify these system settings, this data can be critical for establishing a coherent timeline and sequence of events that occurred during an incident. Furthermore, in the face of Event Log clearing, EventTranscript.db provides actionable items to assist in the investigation. To begin, disable various Windows security settings through the Windows Security GUI or command line (Figure 1).
Figure 1: Disabled Windows Defender and Firewall
The changes to the services can be seen with the telemetry event: Microsoft.Windows.Defender.Shield.ShieldHeartbeat. Figure 2 shows the statuses of the different components when in a default configuration.
Figure 2: Security-Enabled Event Contents
With the settings disabled, Figure 3 shows how the values change. (Note: Firewall is not disabled in this screenshot.)
Figure 3: Security-Disabled Event Contents
As shown in Figure 3, when protections are disabled, the corresponding value changes in the event from GREEN to RED.
When Windows Defender is enabled, the telemetry event, Microsoft.Windows.Security.WSC.EnableDefender is fired (Figure 4). This event signals that Windows Defender is enabled with the enable key.
Figure 4: Defender-Enabled Event
Also, periodic service status events are triggered with the event name: Microsoft.Windows.Inventory.General.InventoryMiscellaneousServiceAdd (Figure 5). This event will show the execution status of the different services.
Figure 5: Service State Running
Disabling services will cause the event to change the State value (Figure 6).
Figure 6: Service State Stopped
The type of installed antivirus software can be determined with the DisplayName and ProductState values found in the telemetry event: Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntivirusInformationAdd (Figure 7).
Figure 7: Antivirus Type
The ProductState value corresponds to the numerical identifier given for the installed antivirus software product and the product update status. This value corresponds to WSC_SECURITY_PRODUCT_STATE enum accessible via the IWscProduct interface.
Version information for the antivirus software signature database used by Windows Defender can be found in the telemetry event: Microsoft.Windows.Inventory.General.InventoryMiscellaneous.UUPInfoAdd (Figure 8).
Figure 8: Defender Signature Version Event
In Figure 8, the Version key identifies the version of the antivirus software database as 1.341.842.0. This can be found with the PowerShell cmdlet: Get-MpComputerStatus (Figure 9).
Figure 9: Defender Signature Version PowerShell
Finally, the status of Windows Defender updates can be seen through the SoftwareUpdateClientTelemetry.CheckForUpdates event. As shown in Figure 10, Windows Defender failed to update itself and reported a StatusCode of 0x8024402c. This value is used for network connection failures. (Note: The network connection was disabled for this test.)
Figure 10: Defender Update Failure
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
24x7 Incident Response
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Data Recovery and Forensic Analysis
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll Artifact Parser And Extractor (KAPE)
Find, collect and process forensically useful artifacts in minutes.
Data Collection and Preservation
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.
