A new tool called DefenderWrite exploits whitelisted Windows programs to bypass protections and write arbitrary files into antivirus executable folders, potentially enabling malware persistence and evasion.
Developed by cybersecurity expert Two Seven One Three, the tool demonstrates a novel technique for penetration testers and red teams to drop payloads in highly protected locations without needing kernel-level access.
This development highlights ongoing challenges in antivirus self-protection mechanisms, where folders housing AV executables are typically shielded from modifications to prevent tampering.
By identifying system programs that antivirus vendors whitelist for updates and installations, attackers can leverage these exceptions to inject malicious DLLs, turning the AV’s own safeguards against it.
The tool’s release, shared via GitHub, has sparked discussions on the balance between operational necessities for AV software and security risks in enterprise environments.
Exploiting Whitelisted Programs for Arbitrary Writes
The core innovation behind DefenderWrite lies in systematically scanning Windows executables to find those permitted to access AV folders.
By enumerating all .exe files in directories like C:Windows, then use process creation and remote DLL injection to test write capabilities into protected paths.
A custom DLL performs the file write operation and reports success or failure, allowing the tool to pinpoint exploitable processes like msiexec.exe without triggering defenses.
In testing on Windows 11 24H2 with Microsoft Defender version 4.18.25070.5-0, the method identified four such programs: msiexec.exe, Register-CimProvider.exe, svchost.exe, and lsass.exe.
For instance, launching msiexec.exe and injecting the DLL enables writing a file directly into Defender’s installation directory, as demonstrated in lab experiments.
This approach extends beyond Microsoft Defender; similar whitelisting vulnerabilities were confirmed in BitDefender, TrendMicro Antivirus Plus, and Avast, though specific details remain undisclosed to encourage independent verification.
DefenderWrite supports key parameters for targeted operations, including TargetExePath for the host executable, FullDLLPath for the injectable library, and FileToWrite for the destination path within the AV folder. An optional “c” flag simplifies copying the DLL to the specified location remotely.
Accompanying the binary is a PowerShell script, Run_Check.ps1, which automates scanning C:Windows executables and logging whitelisted ones for further exploitation.
Users can customize the script for their environment, making it suitable for red team simulations or defensive assessments.
The GitHub repository provides full source code and documentation, emphasizing ethical use in authorized testing only. Two Seven One Three, active on X as @TwoSevenOneT, shares additional pentest insights and encourages community experiments to strengthen AV resilience.
Once a malicious payload resides in an AV folder, it benefits from the same exceptions that shield legitimate files, evading scans and potentially achieving long-term persistence.
This technique underscores the need for vendors to audit whitelisting policies and implement stricter process isolation during updates. While not a zero-day vulnerability, DefenderWrite reveals systemic gaps that could aid real-world attacks if unaddressed.
Organizations should monitor AV update mechanisms and consider layered defenses beyond traditional file permissions. With the tool’s open availability, expect broader adoption in security research circles to push for improved protections across popular antivirus solutions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
