Windows Defender Vulnerability Enables Service Hijacking and Disabling Through Symbolic Link Exploit

A severe vulnerability in Windows Defender’s update process permits attackers with administrator privileges to disable the security service and manipulate its core files. This technique exploits a flaw in how Defender selects its execution folder and can be executed using tools already available on the Windows operating system. The vulnerability was detailed by Zero Salarium, who examined the ongoing struggle between attackers and endpoint protection systems. While red teams typically focus on evading detection, this method enables the outright neutralisation of the defence software itself.

The core of the exploit lies in the way the WinDefend service manages version updates. Windows Defender stores its executable files in a version-numbered folder located within ProgramDataMicrosoftWindows DefenderPlatform. When the service starts or updates, it scans this Platform directory and selects the folder with the highest version number as its new operational path. Although Microsoft protects these folders from modification, the researcher discovered that a user with administrator rights can still create new folders within the Platform directory. This oversight allows an attacker to manipulate the update process by creating a symbolic link (symlink) with a version number higher than the current one, redirecting the Defender service to an attacker-controlled folder. Once control is established, the attacker gains complete read/write access to the files Defender is running from, enabling various malicious outcomes, including the potential for DLL side-loading attacks or disabling the service entirely. 

Categories: Cybersecurity, Vulnerability Exploitation, Malware Techniques 

Tags: Windows Defender, Vulnerability, Update Process, Administrator Privileges, Symlink, Exploit, Execution Folder, DLL Side-Loading, Security Service, Threat Protection