|

Windows Defender Vulnerability Enables Service Hijacking and Disabling Through Symbolic Link Exploit

ByAdmin

A severe vulnerability in Windows Defender’s update process permits attackers with administrator privileges to disable the security service and manipulate its core files. This technique exploits a flaw in how Defender selects its execution folder and can be executed using tools already available on the Windows operating system. The vulnerability was detailed by Zero Salarium, who examined the ongoing struggle between attackers and endpoint protection systems. While red teams typically focus on evading detection, this method enables the outright neutralisation of the defence software itself. The core of the exploit lies in the way the WinDefend service manages version updates. Windows Defender stores its executable files in a version-numbered folder located within ProgramDataMicrosoftWindows DefenderPlatform. When the service starts or updates, it scans this Platform directory and selects the folder with the highest version number as its new operational path.

Although Microsoft protects these folders from modification, the researcher discovered that a user with administrator rights can still create new folders within the Platform directory. This oversight allows an attacker to manipulate the update process. By creating a symbolic link (symlink) with a version number higher than the current one, an attacker can redirect the Defender service to an entirely different, attacker-controlled folder. The attack is executed in several steps. First, the attacker copies the legitimate Windows Defender executable files to a new, unsecured location, such as C:TMPAV. Next, using the mklink command, they create a symbolic link inside the protected Platform folder. This symlink is named to appear as a newer version of Defender and points to the unsecured folder created earlier. Upon the next system restart, the WinDefend service identifies the symlink as the latest version and launches its processes from the attacker-controlled directory. Once control is established, the attacker gains complete read/write access to the files Defender is running from, enabling various malicious outcomes. For instance, an attacker could plant a malicious DLL in the folder to perform a DLL side-loading attack, executing harmful code within the trusted Defender process. Alternatively, they could simply destroy the executable files, rendering the service non-functional. In a demonstration, the researcher illustrated that by deleting the symbolic link after the hijack, the Defender service fails to locate its executable path on the next run. This effectively stops the service and disables all real-time virus and threat protection, leaving the machine vulnerable. 

Categories: Cybersecurity, Vulnerability Exploitation, Malware Techniques 

Tags: Windows Defender, Vulnerability, Update Process, Administrator Privileges, Symbolic Link, Exploit, Execution Folder, DLL Side-Loading, Security Service, Threat Protection 

Similar Posts

Weekly Cybersecurity News Roundup: Key Security Updates from Microsoft, Cisco, and Fortinet, Plus Recent Cyber Attack Insights Stay informed with our latest weekly recap of cybersecurity news, featuring essential security updates from industry leaders Microsoft, Cisco, and Fortinet. We also delve into recent cyber attacks, providing insights into emerging threats and vulnerabilities. Don’t miss out on crucial information that can help safeguard your digital assets!

Leave a Reply

Your email address will not be published. Required fields are marked *