Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack

A severe vulnerability in Windows Defender’s update process allows attackers with administrator privileges to disable the security service and manipulate its core files.

The technique, which leverages a flaw in how Defender selects its execution folder, can be carried out using tools already available on the Windows operating system.

The vulnerability was detailed by Zero Salarium, who explored the continuous battle between attackers and endpoint protection systems.

While red teams often focus on evading detection, this method allows for the outright neutralization of the defense software itself.

Exploiting the Update Mechanism

The core of the exploit lies in the way the WinDefend service handles version updates. Windows Defender stores its executable files in a version-numbered folder located within ProgramDataMicrosoftWindows DefenderPlatform.

When the service starts or updates, it scans this Platform directory and selects the folder with the highest version number as its new operational path.

While Microsoft protects these folders from being modified, the researcher discovered that a user with administrator rights can still create new folders within the Platform directory.

This oversight allows an attacker to manipulate the update process. By creating a symbolic link (symlink) with a version number higher than the current one, an attacker can redirect the Defender service to an entirely different, attacker-controlled folder.

The attack is carried out in a few steps:

• First, the attacker copies the legitimate Windows Defender executable files to a new, unsecured location (e.g., C:TMPAV).
• Next, using the mklink command, they create a symbolic link inside the protected Platform folder. This symlink is given a name that appears to be a newer version of Defender and points to the unsecured folder created in the first step.
• Upon the next system restart, the WinDefend service identifies the symlink as the latest version and launches its processes from the attacker-controlled directory.

Once control is established, the attacker has complete read/write access to the files Defender is running from. This enables several malicious outcomes.

For instance, an attacker could plant a malicious DLL in the folder to perform a DLL side-loading attack, executing malicious code within the trusted Defender process.

More simply, they could destroy the executable files, preventing the service from functioning.

In a demonstration, the researcher showed that by simply deleting the symbolic link after the hijack, the Defender service fails to find its executable path on the next run.

This effectively stops the service and disables all real-time virus and threat protection, leaving the machine vulnerable.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.