Abusing Whitelisted Programs for Arbitrary Writes

   March 8, 2026  Posted in zerosalarium
Share: XFacebookPinterestRedditVKDiggLinkedinMix


 I. OVERVIEW

During the penetration testing process or red team activities, attackers
always need to find a safe spot to drop their payloads, and such places may
also serve as storage for files intended for persistence.

One of the safest places to write payloads and offensive tools is the folder
of executable files for Antivirus (AV) software. Since these folders are
protected by the AV, preventing users from writing files into them, they
automatically become part of the “exception” list.

In this article, I will introduce a tool that helps find and exploit programs
whitelisted by Antivirus  to allow arbitrary file writing into the folder
containing the AV’s executable files.

I will also experiment with this tool using Windows Defender Antivirus (I have also tested it with three other Antivirus products, and it was
possible to perform arbitrary file writing in all cases).

Find me on X to get the latest pentest and red team tricks that I’ve been
researching: Two Seven One Three (@TwoSevenOneT) / X

II. CORE

1. The Idea Of Finding A Way To Write Into A Write-Blocked Folder

As you may know, the executable folder of Antivirus software is always
protected by blocking write operations. Unless you have kernel privileges or
exploits for the Antivirus software, it is highly likely that you won’t be
able to write arbitrary files into these folders.

However, AV also needs to be installed or updated, right? If so, there is a
possibility that there is a program already present in Windows, not part of
the Antivirus software, that has permission to write files into the executable
folder of the AV.

I will take the following steps to identify these programs:

  1. Create a list of all executable files present on Windows (for example, all
    .exe files in C:Windows).
  2. Sequentially run each of these .exe files using CreateProcess.
  3. Remotely inject a DLL through the newly created process.
  4. The DLL has the function to write a file into a specified folder and return
    a success or failure result.
  5. After obtaining the result, terminate this process and move on to the next
    .exe file.

By this simple method, I have identified programs that can write into the
executable folder of Windows Defender and several other types of AVs without
needing kernel privileges or exploits.

2. Introduction To The Tool “DefenderWrite”

I developed the DefenderWrite tool with the ability to remotely inject
DLLs and write files to a specified path.

You can download this tool via the following link:

https://github.com/TwoSevenOneT/DefenderWrite

DefenderWrite includes the following parameters:

DefenderWrite arguments

TargetExePath: the path to the executable file that needs to be run.

FullDLLPath: the path to the DLL file to be remotely injected; it must
be an absolute path.

FileToWrite: the file you want the remote process to create, typically
a path pointing to a file inside the Antivirus installation folder

Parameter “c”: DefenderWrite will remotely copy FullDLLPath to the
destination specified by FileToWrite

3. Use The Script “Run_Check.ps1” To Identify Files That Are Whitelisted

I’ve bundled the “Run_Check.ps1” script into the
DefenderWrite project.

https://github.com/TwoSevenOneT/DefenderWrite/blob/master/Run_Check.ps1

This script scans all .exe files in C:Windows, then uses
DefenderWrite to check which ones are on the antivirus whitelist.

DefenderWrite with Run_Check.ps1 script

You can tweak the script with paths that match your lab machine’s environment.

4. Experimenting with DefenderWrite using Windows Defender

I’ll be running experiments with Windows Defender version
4.18.25070.5-0 on Windows 11 24H2.

After running “Run_Check.ps1“, I ended up with 4 files that made it
onto the whitelist:

  • C:WindowsSystem32msiexec.exe
  • C:WindowsSystem32Register-CimProvider.exe
  • C:WindowsSystem32svchost.exe
  • C:WindowsSystem32lsass.exe

I’ll use the program “C:WindowsSystem32msiexec.exe” to drop a DLL
into the Windows Defender folder.

DefenderWrite can write to protected folder of Windows Defender

As shown in the image above, DefenderWrite can exploit
msiexec.exe” to arbitrarily write files into the Windows Defender
installation folder.

I also ran experiments with the AVs listed below, and the results were
quite surprising: each of them had at least one whitelisted file that could
be exploited to arbitrarily write files into their execution folders.

  • BitDefender Antivirus
  • TrendMicro Antivirus Plus
  • Avast Antivirus

I won’t disclose the specific whitelist files for these AVs. You’re welcome to
run your own experiments.

5. Video summary and demo run

YouTube: https://youtu.be/n8FuFoPEZHs

III. SUMMARY

Antivirus programs typically shield themselves by blocking arbitrary file
writes to their execution folders. To ensure stable operation, these folders
are often placed on the antivirus exception list.

So once malware manages to drop its payload into the AV’s folder, it can slip
past scans—and even enjoy protection from the antivirus itself.

DefenderWrite is a tool designed to locate and exploit whitelisted
programs to arbitrarily write files into the antivirus installation folder.

All four antivirus programs tested had at least one whitelisted file that
could be exploited for arbitrary file writing.

IV. READING

Some books you should read to sharpen your cybersecurity skills, especially
in offensive security:

Books on Programming and Cybersecurity recommended by Zero Salarium
Researchers

Essential hardware tools that every security researcher and hacker should have in their toolkit:

Hardware Tools For Security Researcher and Hacker

Author of the article: Two Seven One Three



Source link