Defender MPLog (Malware Protection Log)

Location

Description

Microsoft Defender Malware Protection logs record detailed operational telemetry including real-time scan results, threat detection events, exclusion changes, tamper protection status, and resource scan timing for every file scanned by the engine.

Forensic Value

MPLog files contain timestamped records of every file scanned by Defender, including the file hash, path, and scan result, providing a near-complete execution timeline even when process logs are unavailable. The logs record when Defender exclusions are added or modified, which is a critical indicator of defense evasion since attackers often add exclusions for their malware directories. Tamper protection events in MPLog reveal attempts to disable or modify Defender configuration. The OriginalFileName field in detection entries can expose renamed executables, helping identify masquerading techniques.

Tools Required

Collection Commands

kape.exe --tsource C: --tdest C:\output --target DefenderMPLog

python3 mplog-parser.py -i "C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-*.log" -o C:\output\mplog_parsed.csv

Copy-Item "C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-*.log" -Destination C:\output\MPLog\

MITRE ATT&CK Techniques