{"id":2667,"date":"2013-10-25T00:01:00","date_gmt":"2013-10-25T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/10\/25\/use-powershell-to-see-what-windows-defender-detected\/"},"modified":"2013-10-25T00:01:00","modified_gmt":"2013-10-25T00:01:00","slug":"use-powershell-to-see-what-windows-defender-detected","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-see-what-windows-defender-detected\/","title":{"rendered":"Use PowerShell to See What Windows Defender Detected"},"content":{"rendered":"<p><strong>Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to see what Windows Defender has detected.<\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. Tomorrow is <a href=\"http:\/\/powershellsaturday.com\/005\/\" target=\"_blank\">Windows PowerShell Saturday in Atlanta<\/a>. There are still a few tickets left; but in the last few days, they have disappeared with a quickness. If you have a chance at all, you should grab this opportunity to hear some world class Windows PowerShell speakers wax eloquently about their favorite Windows PowerShell topics. The Scripting Wife and I will be there (in fact, I am doing two sessions). It will absolutely rock. If you have not yet seen Windows&nbsp;8.1 on a Surface RT or Surface Pro, make sure you look up the Scripting Wife because she will have both devices with her. There is even a free Windows Azure lab that will be going on. It is a lot of action, for a sleepy autumn Saturday. Make sure you come by to say, &ldquo;Hi.&rdquo;<\/p>\n<p><strong>Note<\/strong> &nbsp;This is the fourth in a series of posts about the Windows Defender module in Windows&nbsp;8.1. For more information, please see:<\/p>\n<ul>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/22\/exploring-the-windows-defender-catalog.aspx\" target=\"_blank\">Exploring the Windows Defender Catalog<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/23\/use-powershell-to-explore-windows-defender-preferences.aspx\" target=\"_blank\">Use PowerShell to Explore Windows Defender Preferences<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/24\/use-powershell-to-update-windows-defender-signatures.aspx\" target=\"_blank\">Use PowerShell to Update Windows Defender Signatures<\/a><\/li>\n<\/ul>\n<p>One of the things that always used to bother me about antimalware was that I could never seem to find out what it had detected. I mean, I would expect it to be recorded in the standard Windows Security log because of it being a security type of thing. Or maybe, even in the Windows Application log because after all, antimalware is in reality an application. But no go there.<\/p>\n<p>In the past, Windows Defender used to log to the System log&mdash;I guess because it was part of the operating system. It also wrote to a text file log that it squirrelled away deep within the file system. I am not picking on Windows Defender, just stating the way things used to be (in fact, other antimalware products were just as obtuse).<\/p>\n<p>One thing that really bothered me about Windows Defender is that the user interface had no link to show the log file. Although in fairness, it does show the quarantined items, and it permits me to choose actions. The Windows Defender UI is shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3465.HSG-10-25-13-01.png\"><img decoding=\"async\" title=\"Image of menu\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3465.HSG-10-25-13-01.png\" alt=\"Image of menu\" \/><\/a><\/p>\n<p>So I found a user interface. That does not do much for me in the way of checking on the status of my network. I mean, I am not going to remote into each computer on the network, open the Windows Defender application, and go to the History tab to look at what has been detected, am I?<\/p>\n<p>So I guess I can go through the event logs and see where detected events are located. But wait! This is Windows&nbsp;8.1, and I am running Windows PowerShell 4.0, so I don&rsquo;t have to do that either. I can use Windows PowerShell to solve this issue.<\/p>\n<h2>The two detection functions<\/h2>\n<p>There are two functions in the Windows Defender module that report what Windows Defender detects. These two functions are shown here:<\/p>\n<p style=\"padding-left: 30px\">PS C:\\&gt; get-command -verb get -Noun *threat, *threatd*<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">CommandType&nbsp;&nbsp;&nbsp;&nbsp; Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ModuleName<\/p>\n<p style=\"padding-left: 30px\">&#8212;&#8212;&#8212;&#8211;&nbsp;&nbsp;&nbsp;&nbsp; &#8212;-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8212;&#8212;&#8212;-<\/p>\n<p style=\"padding-left: 30px\">Function&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Get-MpThreat&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; defender<\/p>\n<p style=\"padding-left: 30px\">Function&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Get-MpThreatDetection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;defender<\/p>\n<p><strong>Note<\/strong> &nbsp;Remember that the functions in the Windows Defender module all remote. First you create a CIM session (that can contain connections to hundreds of computers, then you pass the CIM session in the <strong>&ndash;SIMSession<\/strong> parameter. For more information about this technique, see these <a href=\"http:\/\/social.technet.microsoft.com\/Search\/en-US?query=cim%20session&amp;beta=0&amp;rn=Hey%2c+Scripting+Guy!+Blog&amp;rq=site:blogs.technet.com\/b\/heyscriptingguy\/&amp;ac=5\" target=\"_blank\">Hey,Scripting Guy! Blog posts<\/a>.<\/p>\n<h2>Threat detection<\/h2>\n<p>To find out what Windows Defender has detected by using Windows PowerShell, use the <strong>Get-MpThreatDetection<\/strong> function. With no parameters, it displays all threats that are detected on the local computer:<\/p>\n<p style=\"padding-left: 30px\">Get-MpThreatDetection<strong><\/strong><\/p>\n<p>The command and associated output are shown in the following image.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3005.HSG-10-25-13-02.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3005.HSG-10-25-13-02.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<p>One of the interesting things to do is to look at the ThreatID and the various times related to the attack. To do this, I focus in on the <strong>ThreatID<\/strong> property and the <strong>*Time<\/strong> properties:<\/p>\n<p style=\"padding-left: 30px\">PS C:\\&gt; Get-MpThreatDetection | Format-List threatID, *time<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">threatID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2147519003<\/p>\n<p style=\"padding-left: 30px\">InitialDetectionTime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 10\/22\/2013 12:03:04 PM<\/p>\n<p style=\"padding-left: 30px\">LastThreatStatusChangeTime : 10\/22\/2013 12:03:32 PM<\/p>\n<p style=\"padding-left: 30px\">RemediationTime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 10\/22\/2013 12:03:32 PM<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">threatID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2147519003<\/p>\n<p style=\"padding-left: 30px\">InitialDetectionTime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 10\/22\/2013 12:02:55 PM<\/p>\n<p style=\"padding-left: 30px\">LastThreatStatusChangeTime : 10\/22\/2013 12:03:08 PM<\/p>\n<p style=\"padding-left: 30px\">RemediationTime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 10\/22\/2013 12:03:08 PM<\/p>\n<p>By looking at this, I see that the threat was initially detected, and that the threat continued for a few seconds before the remediation took place. If I want to look at what resources were used in the attack, I use <strong>Select-Object<\/strong> and the <strong>ExpandProperty<\/strong> parameter to hone in on what files contained the payload. This is shown here:<\/p>\n<p style=\"padding-left: 30px\">Get-MpThreatDetection | Select-Object -ExpandProperty resources<\/p>\n<p>The command and the output associated with the command are shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8551.HSG-10-25-13-03.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8551.HSG-10-25-13-03.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<p>My earlier query revealed the specific ThreadID that was detected. I can use this information, and find more information about the particular threat. To do this, I use the <strong>Get-MpThreat<\/strong> function as shown here:<\/p>\n<p style=\"padding-left: 30px\">Get-MpThreat -ThreatID 2147519003<\/p>\n<p>The following output shows a nicely organized pane of information:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8838.HSG-10-25-13-04.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8838.HSG-10-25-13-04.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<p>This time I can see the name of the threat that was detected, in addition to the resources that relate to the file. By looking at the resources, I can also see the path the threat vector took. In this case, it came from the Internet via Internet Explorer.<\/p>\n<p>That is all there is to using Windows PowerShell to review malware detected by Windows Defender. Join me tomorrow when I will talk about more cool stuff.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to see what Windows Defender has detected. Microsoft Scripting Guy, Ed Wilson, is here. Tomorrow is Windows PowerShell Saturday in Atlanta. There are still a few tickets left; but in the last few days, they have disappeared with a quickness. If you have a [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[459,462,3,63,461,45],"class_list":["post-2667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-defender","tag-powershell-4-0","tag-scripting-guy","tag-security","tag-windows-8-1","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to see what Windows Defender has detected. Microsoft Scripting Guy, Ed Wilson, is here. Tomorrow is Windows PowerShell Saturday in Atlanta. There are still a few tickets left; but in the last few days, they have disappeared with a quickness. If you have a [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2667"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2667\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}