MpCmdRun.exe Used to Remove Defender Definitions
The execution of MpCmdRun.exe with the `-RemoveDefinitions` argument is used to remove definitions from the Windows Malware Protection Engine, potentially indicating malware activity or attempts to bypass security measures.
Attackers may attempt to remove Windows Defender definitions to disable or impair the security product's capabilities and evade detection. This involves using the MpCmdRun.exe command-line tool, a legitimate Windows Defender utility, with the -RemoveDefinitions parameter. While administrators may use this functionality for legitimate purposes like testing, its presence can be an indicator of malicious activity, particularly when observed in conjunction with other suspicious behaviors. The detection focuses on identifying instances where MpCmdRun.exe is executed with the specific flag intended to remove definitions, potentially leaving the system vulnerable to malware infections. Identifying and responding to this activity is crucial to maintaining the integrity of endpoint security.
Attack Chain
- Attacker gains initial access to the system (potentially through phishing or exploitation of a vulnerability).
- Attacker executes a malicious script or binary.
- The script or binary executes
MpCmdRun.exewith the-RemoveDefinitionsswitch to remove existing malware definitions. MpCmdRun.exeprocesses the command and removes the current set of definitions used by Windows Defender.- The system is now more vulnerable to malware as the definitions have been removed.
- The attacker proceeds with further malicious activities, such as lateral movement or data exfiltration, taking advantage of the weakened security posture.
- The attacker installs persistence mechanisms to maintain access.
Impact
A successful attack that removes Windows Defender definitions can significantly impair an organization's defenses. Systems become vulnerable to malware infections that would otherwise be blocked. This can lead to data breaches, system compromise, and disruption of business operations. The impact ranges from individual workstation infections to widespread network compromise, depending on the attacker's objectives.
Recommendation
- Deploy the Sigma rule
Detect MpCmdRun RemoveDefinitions Executionto your SIEM to detect the execution ofMpCmdRun.exewith the-RemoveDefinitionsargument. - Enable Sysmon process creation logging to collect the necessary event data for the Sigma rule to function.
- Investigate any instances of
MpCmdRun.exebeing executed with-RemoveDefinitionsto determine if it is a legitimate administrative action or malicious activity. - Tune the Sigma rule
Detect MpCmdRun RemoveDefinitions Executionfor your environment to reduce false positives, considering legitimate administrative use cases.
Detection coverage 2
Detect MpCmdRun RemoveDefinitions Execution
highDetects the execution of MpCmdRun.exe with the -RemoveDefinitions argument, used to remove Windows Defender definitions.
Detect MpCmdRun Execution from Unusual Location
mediumDetects MpCmdRun execution from a non-standard path, indicating potential masquerading.
Detection queries are available on the platform. Get full rules →