{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-malware-protection-engine/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Malware Protection Engine","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","endpoint","mpcmdrun","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe threat involves the use of MpCmdRun.exe, the command-line interface for Windows Defender, with the \u003ccode\u003e-RemoveDefinitions\u003c/code\u003e argument. This command is designed to remove existing malware definitions from the Windows Malware Protection Engine. While legitimate use cases exist, its execution can also be indicative of malicious activity aimed at disabling or weakening endpoint security controls. An attacker or malware may use this command to bypass detection after gaining initial access. This technique is particularly concerning because it can leave systems vulnerable to known threats by deleting the corresponding definitions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing, exploitation of a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to execute commands with administrative rights, necessary to manipulate Windows Defender.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker executes \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e with the \u003ccode\u003e-RemoveDefinitions\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eDefinition Removal: Windows Defender removes the existing malware definitions, weakening the system\u0026rsquo;s ability to detect and prevent known threats.\u003c/li\u003e\n\u003cli\u003eMalware Deployment: The attacker deploys malware or performs malicious activities, now with a reduced chance of being detected by Windows Defender.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised system to move laterally within the network, infecting other machines.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Ransomware Deployment: The attacker exfiltrates sensitive data or deploys ransomware, leveraging the weakened security posture of the compromised systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can severely compromise endpoint security. By removing malware definitions, the attacker effectively blinds Windows Defender to known threats. This can lead to successful malware infections, data breaches, ransomware deployment, and overall system instability. If widely deployed across an organization, the impact could affect hundreds or thousands of endpoints, causing significant financial and operational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMpCmdRun RemoveDefinitions Execution\u003c/code\u003e to your SIEM and tune for your environment to detect the execution of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e with the \u003ccode\u003e-RemoveDefinitions\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e executing with the \u003ccode\u003e-RemoveDefinitions\u003c/code\u003e argument to determine if the behavior is legitimate or malicious, based on the \u003ccode\u003ereferences\u003c/code\u003e link to Ukraine CERT advisory.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the ability to execute \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e and other security-related tools.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs (Sysmon EventID 1, Windows Event Log Security 4688, CrowdStrike ProcessRollup2) for unusual activity related to Windows Defender and other security software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mpcmdrun-removedefinitions/","summary":"The execution of MpCmdRun.exe with the '-RemoveDefinitions' argument, used to remove definitions from the Windows Malware Protection Engine, can indicate potential malware activity or attempts to bypass security measures.","title":"MpCmdRun Execution with RemoveDefinitions Argument","url":"https://feed.craftedsignal.io/briefs/2024-01-mpcmdrun-removedefinitions/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Malware Protection Engine","version":"https://jsonfeed.org/version/1.1"}