A recently developed tool named DefenderWrite has emerged, allowing attackers to exploit whitelisted Windows programs to bypass security measures and write arbitrary files into antivirus (AV) executable directories. This capability potentially facilitates malware persistence and evasion, posing significant challenges to existing AV self-protection mechanisms.
Development and Purpose
Created by cybersecurity expert Two Seven One Three, DefenderWrite introduces a novel technique for penetration testers and red teams. It enables the deployment of payloads in highly protected locations without necessitating kernel-level access. This development underscores ongoing vulnerabilities in AV self-protection strategies, where folders containing AV executables are typically safeguarded against modifications to prevent tampering.
Mechanism of Exploitation
DefenderWrite operates by systematically scanning Windows executables to identify those permitted to access AV folders. The tool enumerates all .exe files in directories such as C:\Windows, utilizing process creation and remote DLL injection to test write capabilities into protected paths. A custom DLL performs the file write operation and reports success or failure, enabling the identification of exploitable processes like msiexec.exe without triggering defenses.
In tests conducted on Windows 11 24H2 with Microsoft Defender version 4.18.25070.5-0, the method identified four such programs: msiexec.exe, Register-CimProvider.exe, svchost.exe, and lsass.exe. For example, launching msiexec.exe and injecting the DLL allows writing a file directly into Defender’s installation directory, as demonstrated in laboratory experiments.
This approach is not limited to Microsoft Defender; similar whitelisting vulnerabilities were confirmed in BitDefender, TrendMicro Antivirus Plus, and Avast. However, specific details remain undisclosed to encourage independent verification.
Tool Functionality and Parameters
DefenderWrite supports key parameters for targeted operations, including:
– TargetExePath: Specifies the host executable.
– FullDLLPath: Indicates the injectable library.
– FileToWrite: Designates the destination path within the AV folder.
An optional “c” flag simplifies copying the DLL to the specified location remotely.
Accompanying the binary is a PowerShell script, Run_Check.ps1, which automates scanning C:\Windows executables and logging whitelisted ones for further exploitation. Users can customize the script for their environment, making it suitable for red team simulations or defensive assessments.
The GitHub repository provides full source code and documentation, emphasizing ethical use in authorized testing only. Two Seven One Three, active on X as @TwoSevenOneT, shares additional penetration testing insights and encourages community experiments to strengthen AV resilience.
Implications and Recommendations
Once a malicious payload resides in an AV folder, it benefits from the same exceptions that shield legitimate files, evading scans and potentially achieving long-term persistence. This technique underscores the need for vendors to audit whitelisting policies and implement stricter process isolation during updates. While not a zero-day vulnerability, DefenderWrite reveals systemic gaps that could aid real-world attacks if unaddressed.
Organizations should monitor AV update mechanisms and consider layered defenses beyond traditional file permissions. With the tool’s open availability, broader adoption in security research circles is expected, pushing for improved protections across popular antivirus solutions.
