Skip to content
Threat Feed
high advisory

Multiple Vulnerabilities in Microsoft Defender and Malware Protection Engine

Multiple vulnerabilities in Microsoft Defender and Microsoft Malware Protection Engine could allow an attacker to elevate privileges, execute arbitrary code, and cause a denial of service condition.

Microsoft Defender and the Microsoft Malware Protection Engine are affected by multiple vulnerabilities that could allow an attacker to perform several malicious actions. These include elevating privileges on a target system, achieving arbitrary code execution, and causing a denial of service (DoS) condition. The vulnerabilities exist within the core components of Microsoft’s endpoint security solution, making exploitation a significant risk for affected systems. Successful exploitation of these vulnerabilities would grant attackers significant control over the compromised system, allowing for further malicious activities.

Attack Chain

  1. An attacker exploits a vulnerability in the Microsoft Malware Protection Engine via a specially crafted file.
  2. The vulnerable engine processes the file, triggering a memory corruption issue.
  3. This memory corruption allows the attacker to overwrite critical system data.
  4. The attacker leverages the overwritten data to elevate their privileges to SYSTEM.
  5. With elevated privileges, the attacker injects malicious code into a legitimate system process.
  6. The injected code executes arbitrary commands, providing the attacker with control over the system.
  7. Alternatively, the attacker triggers a denial-of-service condition by causing the engine to crash repeatedly.

Impact

Successful exploitation of these vulnerabilities could lead to complete system compromise. An attacker could gain full control of the system, potentially leading to data theft, installation of malware, or disruption of services. The lack of specific victim numbers in the source material makes a definitive impact assessment difficult; however, given the widespread use of Microsoft Defender, a successful widespread exploit would have substantial impact across numerous sectors.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.
  • Monitor process creation events for unusual processes spawned by Microsoft Defender processes (e.g., MsMpEng.exe) using the provided Sigma rule.
  • Enable Sysmon process-creation logging to activate the rules above.

Detection coverage 2

Detect Suspicious Process Creation by MsMpEng.exe

high

Detects unusual processes spawned by Microsoft Defender's MsMpEng.exe, potentially indicating privilege escalation or code execution.

sigma tactics: execution, privilege_escalation techniques: T1068 sources: process_creation, windows

Detect MsMpEng.exe Writing Executables

medium

Detects Microsoft Defender's MsMpEng.exe writing executable files, which is not typical behavior and could indicate exploitation.

sigma tactics: defense_evasion techniques: T1027 sources: file_event, windows

Detection queries are available on the platform. Get full rules →