Hijacking Windows Defender Updates for Local Privilege Escalation

TLDR: Researchers at Black Hat 2023 demonstrated a method to bypass Windows Defender signature validation by manipulating the update process. By reverse-engineering the VDM file format and the update mechanism, they achieved local privilege escalation and forced the engine to delete arbitrary files. This research highlights the danger of trusting signed update payloads and provides a blueprint for testing similar security product update mechanisms.

Security researchers often treat endpoint protection platforms as black boxes that are inherently trustworthy. When we see a "digitally signed" file, our internal red team radar often stops pinging. However, the Defender-Pretender research presented at Black Hat 2023 proves that even the most critical security components can be manipulated if you understand their update logic. The researchers successfully turned Windows Defender against itself, achieving local privilege escalation and a permanent denial-of-service condition by exploiting the way the engine handles its own signature updates.

The Anatomy of the Update Hijack

Windows Defender periodically pulls updates from Microsoft, which arrive as a single executable file known as the "AM" (Antimalware) front end, or mpam-fe.exe. This file contains a cabinet (CAB) resource that, when extracted, yields several files including the engine DLL (mpengine.dll) and signature database files with the .vdm extension.

The researchers discovered that these VDM files are essentially portable executable files without code logic, acting as data containers for detection signatures. By reverse-engineering the update process, they found that the engine performs a series of integrity checks before applying these updates. The goal was to achieve full control over the update workflow without needing administrative privileges, a forged certificate, or a man-in-the-middle attack.

The breakthrough came from analyzing the VDM file format. These files contain a resource section with compressed data starting with RMDX magic bytes. The signatures themselves are compressed using zlib, but the standard zlib headers are absent. By simply appending the missing magic bytes and running a one-line decompression command, the researchers could access the raw signature data.

Bypassing Integrity Checks

Modifying the engine DLL directly proved impossible because the main process is a protected process (PPL) that refuses to load unsigned or improperly signed modules. However, the researchers found that they could modify the VDM files. While they initially failed to modify the signature data itself due to validation checks, they discovered that they could manipulate the file version information. By incrementing the version number of an older, valid VDM file, they tricked the update process into accepting it as a "newer" update.

This technique allowed them to execute arbitrary code or force the engine to perform unintended actions. The researchers released the WD-Pretender tool, which automates the process of generating these malicious update packages. During their demonstration, they showed how to force Windows Defender to identify benign files as malicious, leading to their deletion. This is a classic Broken Access Control scenario where the update mechanism fails to properly validate the integrity of the data it is processing.

Real-World Impact for Pentesters

For a pentester, this research is a goldmine. If you have gained a foothold on a system as a low-privilege user, you are often blocked by EDR or antivirus solutions from running your post-exploitation tools. Instead of trying to kill the process—which is usually impossible—you can now potentially force the security product to delete its own detection signatures or, better yet, force it to delete other security tools that might be monitoring your activity.

The vulnerability, tracked as CVE-2023-24934, was patched by Microsoft in April 2023. The fix ensures that the engine validates the digital signature of all VDM files before processing them. If you are conducting an engagement, check the version of the Microsoft Malware Protection Platform. Anything below version 4.18.2303.8 is likely susceptible to this class of attack.

Defensive Considerations

Defenders should treat the update process of any security tool as a high-value target. If an attacker can influence the update source or the local storage where updates are staged, the entire security posture of the endpoint is compromised. Monitoring for unusual file modifications in the directories where security products stage their updates is a simple but effective detection strategy. Furthermore, ensure that your fleet is running the latest versions of all security agents, as vendors are constantly hardening these update pipelines against this exact type of manipulation.

This research serves as a reminder that complexity is the enemy of security. By adding layers of proprietary compression and custom update logic, vendors often introduce new, unforeseen attack surfaces. As researchers, we should continue to pull on these threads. When you see a proprietary update format, don't assume it's secure just because it's signed. Decompress it, diff it, and see what happens when you feed it malformed data. You might just find the next bypass.