Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
Fox IT
DECEMBER 13, 2023
Especially in scenarios where the threat actor has deleted the Windows Event logs, but left the quarantine folder intact, the quarantine folder is of great forensic value. This QuarantineEntry is RC4-encrypted and saved to disk in the /ProgramData/Microsoft/Windows Defender/Quarantine/Entries folder.
Let's personalize your content