Replace mimikatz binary in quarantine data with DUMMY_PAYLOAD (#524)

So windows defender doesn't remove it (DIS-2787)
fox-it · Feb 6, 2024 · 555ad39 · 555ad39
1 parent aff60f4
commit 555ad39
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 12 deletions.
diff --git a/...s/os/windows/defender/quarantine/ResourceData/A6/A6C8322B8A19AEED96EFBD045206966DA4C9619D b/...s/os/windows/defender/quarantine/ResourceData/A6/A6C8322B8A19AEED96EFBD045206966DA4C9619D
diff --git a/tests/plugins/os/windows/test_defender.py b/tests/plugins/os/windows/test_defender.py
@@ -1,10 +1,8 @@
 import os
-import platform
 from datetime import datetime
 from io import BytesIO
 from pathlib import Path
 
-import pytest
 from dissect.ntfs.secure import ACL, SecurityDescriptor
 
 from dissect.target.filesystem import VirtualFilesystem
@@ -60,11 +58,6 @@ def test_defender_quarantine_entries(target_win: Target, fs_win: VirtualFilesyst
     assert mimikatz_record.last_accessed_time.date() == detection_date
 
 
-@pytest.mark.skipif(
-    platform.system() == "Windows",
-    reason="Windows Defender cleans up the restored quarentine files when you try to open it.",
-)
-# TODO: Create a more sane quarentine file for this.
 def test_defender_quarantine_recovery(target_win: Target, fs_win: VirtualFilesystem, tmp_path: Path) -> None:
     # Map the quarantine folder from our test data
     quarantine_dir = absolute_path("_data/plugins/os/windows/defender/quarantine")
@@ -94,11 +87,8 @@ def test_defender_quarantine_recovery(target_win: Target, fs_win: VirtualFilesys
     directory_content = os.listdir(recovery_dst)
     directory_content.sort()
     assert expected_files == directory_content
-
-    # Verify that the payloads are both properly restored by checking for the MZ header
-    with open(recovery_dst.joinpath(payload_filename), "rb") as payload_file:
-        header = payload_file.read(2)
-        assert header == b"MZ"
+    # Replaced the mimikatz payload with `DUMMY_PAYLOAD` to avoid defender collecting it
+    assert recovery_dst.joinpath(payload_filename).read_bytes() == b"DUMMY_PAYLOAD"
 
     # Verify that the security descriptors are valid security descriptors
     with open(recovery_dst.joinpath(security_descriptor_filename), "rb") as descriptor_file: