Get Windows Defender Alerts

Description

Retrieves and displays Windows Defender malware detection events (Event ID 1116) from a local or remote system.

Overview

This PowerShell script retrieves Windows Defender event logs (Event ID 1116) from a target system’s Security log. It supports two authentication modes: using an impersonation method or providing a username and password. The script allows specifying the maximum number of events to fetch and extracts key details, such as ThreatName, SeverityName, and ExecutionName from the logs.

Parameters

Name Type Description
Target string The IP address or hostname of the system to query.
Username string The local or domain username to authenticate with.
Password string The password for the specified user.
Max int The maximum number of events to retrieve.
Sort string How to sort the events.

Example Output

CreationDate          ThreatName                         SeverityName SourceName           ProcessName                                               DetectionUser       ExecutionName SecurityIntelligenceVersion                        EngineVersion
------------          ----------                         ------------ ----------           -----------                                               -------------       ------------- ---------------------------                        -------------
4/15/2025 11:14:52 PM VirTool:MSIL/Ambypz.B!MTB          Severe       AMSI                 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe NT AUTHORITY\SYSTEM Suspended     AV: 1.427.266.0, AS: 1.427.266.0, NIS: 1.427.266.0 AM: 1.1.25030.1, NIS: 1.1.25030.1
4/16/2025 4:45:26 AM  VirTool:MSIL/Ambypz.B!MTB          Severe       Real-Time Protection System                                                    NT Authority\System Suspended     AV: 1.427.266.0, AS: 1.427.266.0, NIS: 1.427.266.0 AM: 1.1.25030.1, NIS: 1.1.25030.1
4/16/2025 4:56:17 AM  VirTool:MSIL/Ambypz.B!MTB          Severe       AMSI                 \\192.168.1.103\C$\Windows\Temp\tzx.exe                   NT AUTHORITY\SYSTEM Suspended     AV: 1.427.266.0, AS: 1.427.266.0, NIS: 1.427.266.0 AM: 1.1.25030.1, NIS: 1.1.25030.1
4/17/2025 12:55:02 AM VirTool:MSIL/Ambypz.B!MTB          Severe       Real-Time Protection System                                                    NT Authority\System Suspended     AV: 1.427.266.0, AS: 1.427.266.0, NIS: 1.427.266.0 AM: 1.1.25030.1, NIS: 1.1.25030.1
4/17/2025 1:02:42 AM  Trojan:Win32/Wacatac.C!ml          Severe       Real-Time Protection System                                                    NT Authority\System Suspended     AV: 1.427.266.0, AS: 1.427.266.0, NIS: 1.427.266.0 AM: 1.1.25030.1, NIS: 1.1.25030.1
4/17/2025 9:13:16 AM  VirTool:MSIL/Ambypz.B!MTB          Severe       System               Unknown                                                   NT AUTHORITY\SYSTEM Unknown       AV: 1.427.297.0, AS: 1.427.297.0, NIS: 1.427.297.0 AM: 1.1.25030.1, NIS: 1.1.25030.1
5/5/2025 4:39:18 AM   TrojanDownloader:PowerShell/WmiD.C Severe       System               Unknown                                                   NT AUTHORITY\SYSTEM Unknown       AV: 1.427.627.0, AS: 1.427.627.0, NIS: 1.427.627.0 AM: 1.1.25030.1, NIS: 1.1.25030.1
Scroll to Top