Running Procmon in a boot mode is a very powerful research tool. In this short post I want to share a Procmon boot log of MsMpEng.exe (Windows Defender process) where we clearly see it is attempting to access a lot of (assumed bad) file names and paths.

I have not seen this documented before and I am a bit surprised, because the Windows Defender signatures are easily decompilable thanks to projects like WDExtract and MpLua converter. Google searches for the file names presented in my boot log return nada.

So, here it is. A list of paths that are most likely _bad_ for business.

This is not a proper research yet. I just happened to stumble upon an interesting artifact which is a file:

C:\Windows\System32\dns\RFC5011.csv

that dns.exe service process tries to read.

This csv file appears to be related to DNSSEC, but I don’t know enough about it, plus have not spent enough time analyzing the actual dns.exe binary to determine the csv file’s purpose and layout yet.

BUT

The code reading this CSV file refers to TrustAnchor and TrustPoint strings so it’s possible the program is using the content of the file to import a set of trusted public keys utilized by DNSSEC. Which of course could be abused.

After poking around a bit more, I have created a list of file system-based artifacts that the DNS-related executables and libraries (c:\Windows\System32\dns.exe, c:\Windows\System32\dnscmd.exe, c:\Windows\System32\dnsmgr.dll) touch:

• C:\Windows\System32\dns\backup\boot
• C:\Windows\System32\dns\backup\boot.first
• C:\Windows\System32\dns\backup\dns.log
• C:\Windows\System32\dns\boot
• C:\Windows\System32\dns\boot.txt
• C:\Windows\System32\dns\boot.write.error
• C:\Windows\System32\dns\dns.log
• C:\Windows\System32\dns\RFC5011.csv
• C:\Windows\System32\dns\TrustAnchors.dns

This is really not very useful yet, but it is a good starting point to dig deeper.