A significant vulnerability has emerged within the update process of Windows Defender, raising concerns about the security of systems relying on this protection. This flaw allows individuals with administrator privileges to not only disable the security service but also manipulate its essential files, posing a serious threat to endpoint security.
The technique, uncovered by Zero Salarium, highlights the ongoing struggle between cyber attackers and endpoint protection systems. While traditional red team tactics often focus on evading detection, this new method enables attackers to effectively neutralize the defense software itself.
Exploiting the Update Mechanism
The vulnerability centers around the manner in which the WinDefend service processes version updates. Windows Defender organizes its executable files within a version-numbered folder located at ProgramDataMicrosoftWindows DefenderPlatform. When the service initiates or updates, it scans this Platform directory to select the folder with the highest version number as its operational path.
Although Microsoft has implemented protections to prevent modifications to these folders, the research revealed that users with administrator rights can still create new folders within the Platform directory. This oversight opens the door for attackers to exploit the update process.
By creating a symbolic link (symlink) that boasts a version number higher than the current one, an attacker can redirect the Defender service to a different folder entirely, one that is under their control. The execution of this attack unfolds in a few methodical steps:
- Initially, the attacker copies the legitimate Windows Defender executable files to a new, unsecured location, such as
C:TMPAV. - Next, they utilize the
mklinkcommand to establish a symbolic link within the protectedPlatformfolder. This symlink is crafted to resemble a newer version of Defender while pointing to the unsecured folder created earlier. - Upon the next system restart, the
WinDefendservice recognizes the symlink as the latest version and initiates its processes from the attacker-controlled directory.
Once the attacker gains control, they possess complete read/write access to the files that Defender is operating from, leading to various malicious possibilities. For example, an attacker could introduce a malicious DLL into the folder, executing harmful code within the trusted Defender process through a DLL side-loading attack. Alternatively, they might simply delete the executable files, rendering the service inoperative.
In a practical demonstration, the researcher illustrated that by merely removing the symbolic link after the hijack, the Defender service fails to locate its executable path during the next run. This action effectively halts the service and disables all real-time virus and threat protection, leaving the system exposed to potential threats.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
