2

I am trying to log windows defender events from Event Viewer using C# .net framework. When I try to capture Event data attribute values via reading XML it gives me weird string values for some attributes like Origin Name, Execution Name, Type Name, Action Name.

enter image description here

And actual Values of these attributes in General view is displayed proper as follow.

enter image description here

Here is Code snippet I am using to xml data :

        private static void GetRecordsInfo()
    {
        //string channel = "Microsoft-Windows-Windows Defender/Operational";
        string _channel = @"C:\Users\patilp\Desktop\DefenderLogs.evtx";
        string query = "Event/System[ TimeCreated[@SystemTime > '2020-07-15T19:08:30.895832100Z' and @SystemTime < '2020-07-15T20:21:30.895832100Z']" +
            " and ((Level=1 or Level=2 or Level=3 or Level=4) and (EventID = 1006 or EventID = 1007 or EventID = 1008 or EventID = 1009 or " +
            "EventID = 1010 or EventID = 1011 or EventID = 1012 or EventID = 1015 or EventID = 1116 or EventID = 1117 or EventID = 1118 or EventID = 1119) and Provider[@Name='Microsoft-Windows-Windows Defender'])]";

        EventLogQuery eventLogQuery = new EventLogQuery(_channel, PathType.FilePath, query);
        EventLogReader eventLogReader = new EventLogReader(eventLogQuery);
        EventRecord record = eventLogReader.ReadEvent();
        if (record == null)
        {
            Console.WriteLine("No data found");
            return;
        }
        var _currentEvent = new Dictionary<string, object>();

        _currentEvent["ProviderName"] = record.ProviderName;
        _currentEvent["ProviderEventGuid"] = record.ProviderId;
        _currentEvent["Channel"] = String.IsNullOrEmpty(_channel) ? String.Empty : _channel;

        _currentEvent["EventID"] = Convert.ToString(record.Id);
        _currentEvent["Level"] = Convert.ToString(record.Level);

        string rawXml = record.ToXml();
        XmlDocument xmlDoc = new XmlDocument();
        xmlDoc.LoadXml(rawXml);
        Dictionary<string, string> _EventData = new Dictionary<string, string>();
        XmlNodeList xmlnodeList = xmlDoc.GetElementsByTagName("Data");

        foreach (XmlNode node in xmlnodeList)
        {
            string text = node.InnerText;
            string attr = node.Attributes["Name"]?.InnerText;
            _EventData.Add(attr, text);
        }

        _currentEvent["ThreatID"] = _EventData.ContainsKey("Threat ID") ? string.IsNullOrWhiteSpace(_EventData["Threat ID"]) ? "NA" : _EventData["Threat ID"] : "NA";
        _currentEvent["ThreatName"] = _EventData.ContainsKey("Threat Name") ? string.IsNullOrWhiteSpace(_EventData["Threat Name"]) ? "NA" : _EventData["Threat Name"] : "NA";
        _currentEvent["Severity"] = _EventData.ContainsKey("Severity ID") ? string.IsNullOrWhiteSpace(_EventData["Severity ID"]) ? "NA" : _EventData["Severity ID"] : "NA";
        _currentEvent["Category"] = _EventData.ContainsKey("Category Name") ? string.IsNullOrWhiteSpace(_EventData["Category Name"]) ? "NA" : _EventData["Category Name"] : "NA";
        _currentEvent["Path"] = _EventData.ContainsKey("Path") ? string.IsNullOrWhiteSpace(_EventData["Path"]) ? "NA" : _EventData["Path"] : "NA";
        _currentEvent["DetectionOrigin"] = _EventData.ContainsKey("Origin Name") ? string.IsNullOrWhiteSpace(_EventData["Detection ID"]) ? "NA" : _EventData["Detection ID"] : "NA";
        _currentEvent["DetectionType"] = _EventData.ContainsKey("Type ID") ? string.IsNullOrWhiteSpace(_EventData["Threat ID"]) ? "NA" : _EventData["Threat ID"] : "NA";
        _currentEvent["DetectionSource"] = _EventData.ContainsKey("Source Name") ? string.IsNullOrWhiteSpace(_EventData["Detection User"]) ? "NA" : _EventData["Detection User"] : "NA";
        _currentEvent["Status"] = _EventData.ContainsKey("Status Description") ? string.IsNullOrWhiteSpace(_EventData["Status Description"]) ? "NA" : _EventData["Status Description"] : "NA";
        _currentEvent["ProcessName"] = _EventData.ContainsKey("Process Name") ? string.IsNullOrWhiteSpace(_EventData["Process Name"]) ? "NA" : _EventData["Process Name"] : "NA";
        _currentEvent["Action"] = _EventData.ContainsKey("Action Name") ? string.IsNullOrWhiteSpace(_EventData["Action Name"]) ? "NA" : _EventData["Action Name"] : "NA";
        _currentEvent["ErrorCode"] = _EventData.ContainsKey("Error Code") ? string.IsNullOrWhiteSpace(_EventData["Error Code"]) ? "NA" : _EventData["Error Code"] : "NA";
        _currentEvent["ErrorDescription"] = _EventData.ContainsKey("Error Description") ? string.IsNullOrWhiteSpace(_EventData["Error Description"]) ? "NA" : _EventData["Error Description"] : "NA";
        _currentEvent["SignatureVersion"] = _EventData.ContainsKey("Security intelligence Version") ? string.IsNullOrWhiteSpace(_EventData["Security intelligence Version"]) ? "NA" : _EventData["Security intelligence Version"] : "NA";
        _currentEvent["EngineVersion"] = _EventData.ContainsKey("Engine Version") ? string.IsNullOrWhiteSpace(_EventData["Engine Version"]) ? "NA" : _EventData["Engine Version"] : "NA";

        foreach (var item in _currentEvent)
            Console.WriteLine("{0}  :   {1}",item.Key,item.Value);
    }

Can anyone tell me how to obtain proper string values for mentioned attributes..?

Pratik Patil
  • 101
  • 1
  • 5

1 Answers1

4

I'm having the same issue.

I've managed to find out, that some codes like that can be found in file msobj.dll: https://github.com/wazuh/wazuh/issues/3242

Using this code found online: https://gist.github.com/mattifestation/43248b6f59d1dd67d4f57318a9a7e565 I've managed to extract every code in that file, but it does not seem to be right in this case. For example %%812 returns 'Trusted To Authenticate For Delegation' - Disabled.

So I assume that codes for Defender events are in some other dll... But which ?

Edit: This source: https://social.technet.microsoft.com/Forums/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity

claims that msobj.dll contains complete key-values entries EventViewer can show you. At least in Windows XP. Seems that something must have changed in Windows 10, because I only have msobjs.dll.

EDIT2: I have found an answer!

This is a solution from the book by Stuart Squibb "PowerShell and Windows Event Logs"

Apparently those attributes, or placeholders, reside in the Message Table of the dll: C:\Program Files\Windows Defender\MpEvMsg.dll

This is how to find which dll Event is using (note that different event providers have different dll):
$Provider = New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata 'Microsoft-Windows-Windows Defender'
$provider | Select-Object *

Then using code written by the author I've extracted the codes:

https://github.com/wightsci/MessageTableReader

Add-Type -Path "C:\MessageTableReader.cs"
$messageTable = New-Object MessageTableReader.Reader
$messageTable.GetMessageList('C:\Program Files\Windows Defender\MpEvMsg.dll')

Enjoy ;-)

sol
  • 41
  • 4