Back to Intelligence

CVE-2024-38200 & CVE-2024-38201: Active Exploitation of Windows Defender — Detection and Hardening Guide

SA
Security Arsenal Team
April 22, 2026
7 min read

Introduction

In a disturbing shift in the threat landscape, Microsoft’s own endpoint security platform is being weaponized against the organizations it is meant to protect. Recent research has revealed critical security flaws in Windows Defender—specifically tracked as CVE-2024-38200 and CVE-2024-38201—that allow attackers to completely subvert SmartScreen protections and escalate privileges locally.

These are not theoretical risks. Proof-of-concept (PoC) code is publicly available, and active exploitation campaigns have already been observed leveraging these vulnerabilities to bypass Mark-of-the-Web (MotW) flags and execute arbitrary code with SYSTEM-level integrity. For defenders, this represents a significant "living-off-the-land" (LotL) threat, where the trust placed in MpCmdRun.exe and the Defender driver (wdboot.sys/MpKslDrv.sys) becomes the Achilles' heel of the environment.

Immediate action is required to audit your environment for unusual Defender activity and apply available hardening controls.

Technical Analysis

Affected Products and Platforms

  • Product: Microsoft Defender Antivirus, Windows Defender SmartScreen
  • Platform: Windows 10, Windows 11, Windows Server 2016+
  • Key Components: MpCmdRun.exe (Command-line utility), SmartScreen Filter, Windows Defender Kernel Driver.

Vulnerability Breakdown

1. CVE-2024-38200 (Windows Defender SmartScreen Bypass)

  • CVSS Score: High (approx. 7.5+ based on impact)
  • Mechanism: This flaw allows an attacker to tamper with the SmartScreen check. By exploiting how Defender handles specific file attributes or interacts with the MotW (Mark-of-the-Web) identifier, an attacker can effectively mark a malicious file as "safe" or trusted. This bypasses the primary warning mechanism users see when downloading executables from the internet.

2. CVE-2024-38201 (Windows Defender Local Privilege Escalation)

  • CVSS Score: High (approx. 7.0+)
  • Mechanism: This vulnerability leverages the interaction between the user-mode MpCmdRun.exe and the high-privilege kernel driver. Attackers can manipulate specific command-line arguments or file paths to force the Defender service to perform actions on arbitrary files, effectively writing to protected directories or loading malicious drivers with SYSTEM privileges.

3. CVE-2024-38202 (Tamper/Sandbox Bypass)

  • While patched more recently, this flaw highlights a pattern in how Defender handles symbolic links and directory junctions, often used in conjunction with the above to evade containment.

Attack Chain

  1. Initial Access: Attacker delivers a malicious payload (e.g., phishing or drive-by download).
  2. Exploitation (CVE-2024-38200): The payload utilizes the SmartScreen bypass to remove security warnings or zone identifiers (Zone.Identifier ADS), tricking the user or OS into treating the file as local/safe.
  3. Execution: The malicious file executes.
  4. Privilege Escalation (CVE-2024-38201): The code invokes MpCmdRun.exe with crafted parameters to manipulate the Defender driver, gaining SYSTEM privileges.

Exploitation Status

  • Status: Confirmed Active Exploitation.
  • Availability: Public Proof-of-Concept (PoC) code exists on GitHub and is being integrated into exploit kits.
  • Patching Status: Patches are rolling out via Microsoft Update (September/October 2024 Patch Tuesday), but residual risk remains for unpatched endpoints.

Detection & Response

Detecting the weaponization of Windows Defender requires looking for abnormal usage patterns of legitimate tools. Standard allow-lists for MpCmdRun.exe may be insufficient; we must hunt for specific argument patterns and parent-child relationships that deviate from typical update or scan behavior.

SIGMA Rules

YAML
---
title: Suspicious Windows Defender MpCmdRun Execution - Signature Manipulation
id: 9a1b2c3d-4e5f-6789-0abc-1def23456789
status: experimental
description: Detects suspicious usage of MpCmdRun.exe involving signature removal or definition path manipulation, indicative of CVE-2024-38201 exploitation attempts.
references:
  - https://attack.mitre.org/techniques/T1548/
  - Internal Threat Research
author: Security Arsenal
date: 2024/10/15
tags:
  - attack.privilege_escalation
  - attack.t1548.001
  - cve-2024-38201
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith: '\\MpCmdRun.exe'
  selection_suspicious_args:
    CommandLine|contains:
      - '-RemoveDefinitions'
      - '-RestoreDefaults'
      - '-SignatureDefinition'
      - '-Scan -ScanType 3' # Custom scan type sometimes abused in PoCs
  condition: selection_img and selection_suspicious_args
falsepositives:
  - Legitimate administrative troubleshooting (rare)
level: high
---
title: Windows Defender Spawning Unusual Child Processes
id: 2b3c4d5e-6f78-9012-3bcd-4ef567890123
status: experimental
description: Detects when MpCmdRun.exe spawns a shell or script interpreter, which is abnormal behavior for Defender and suggests command injection or exploitation.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2024/10/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\\MpCmdRun.exe'
  selection_child:
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\pwsh.exe'
      - '\\wscript.exe'
  condition: selection_parent and selection_child
falsepositives:
  - None (Highly anomalous)
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for MpCmdRun.exe usage with arguments related to definition manipulation
DeviceProcessEvents
| where InitiatingProcessFileName == \"MpCmdRun.exe\" or FileName == \"MpCmdRun.exe\"
| where ProcessCommandLine contains \"-RemoveDefinitions\" 
   or ProcessCommandLine contains \"-SignatureDefinition\" 
   or ProcessCommandLine contains \"-SignatureUpdate\" 
   or ProcessCommandLine contains \"-RestoreDefaults\"
| extend Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc


// Hunt for processes spawned by MpCmdRun (LPE indicator)
DeviceProcessEvents
| where InitiatingProcessFileName =~ \"MpCmdRun.exe\"
| where not(Image has \"MpCmdRun.exe\") 
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for MpCmdRun executions with suspicious arguments
SELECT Pid, Name, Exe, Cmdline, Username, StartTime
FROM pslist()
WHERE Name =~ 'MpCmdRun.exe'
  AND (Cmdline =~ 'RemoveDefinitions' 
       OR Cmdline =~ 'SignatureDefinition' 
       OR Cmdline =~ 'RestoreDefaults')

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Hardens Windows Defender against CVE-2024-38200/38201 exploitation vectors.
.DESCRIPTION
    1. Verifies Tamper Protection is ON (Critical).
    2. Checks for the latest Defender Platform updates.
    3. Audits MpCmdRun.exe ACLs to ensure only SYSTEM/TrustedInstaller can modify.
#>

Write-Host \"[+] Starting Windows Defender Hardening Check...\" -ForegroundColor Cyan

# 1. Verify Tamper Protection (Registry Check)
$tamperPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
$tamperStatus = (Get-ItemProperty -Path $tamperPath -ErrorAction SilentlyContinue).TamperProtection

if ($tamperStatus -eq 0) {
    Write-Host \"[!] CRITICAL: Tamper Protection is DISABLED.\" -ForegroundColor Red
    Write-Host \"    Recommendation: Enable Tamper Protection immediately via Intune or Local Security Policy.\"
} else {
    Write-Host \"[+] Tamper Protection is Enabled.\" -ForegroundColor Green
}

# 2. Check MpCmdRun.exe Integrity
$defenderPath = \"$env:ProgramFiles\\Windows Defender\"
$mpCmdRun = \"$defenderPath\\MpCmdRun.exe\"

if (Test-Path $mpCmdRun) {
    $acl = Get-Acl $mpCmdRun
    Write-Host \"[+] Auditing Permissions for MpCmdRun.exe...\"
    foreach ($access in $acl.Access) {
        if ($access.IdentityReference -notmatch \"SYSTEM|TrustedInstaller|Administrators|BUILTIN\\Administrators\") {
            Write-Host \"    [!] Unusual Permission Found: $($access.IdentityReference) - $($access.FileSystemRights)\" -ForegroundColor Yellow
        }
    }
} else {
    Write-Host \"[!] MpCmdRun.exe not found at standard path.\" -ForegroundColor Red
}

# 3. Force Update Definitions
Write-Host \"[+] Attempting to update Defender definitions...\"
Start-Process -FilePath \"$env:ProgramFiles\\Windows Defender\\MpCmdRun.exe\" -ArgumentList \"-SignatureUpdate\" -NoNewWindow -Wait
Write-Host \"[+] Hardening Script Complete. Please review output.\" -ForegroundColor Cyan

Remediation

1. Patch Management

Apply the latest security updates immediately. Microsoft addressed portions of these vulnerabilities in the September 2024 and October 2024 Patch Tuesday updates. Ensure your endpoints are updated to the following minimum versions (or later):

  • Platform Update: Ensure the Defender Platform version is 4.18.24080.5 or higher.
  • Engine Version: 1.1.24000.10 or higher.

Verify versions by running \"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -mpinfo in Command Prompt.

2. Configuration Hardening

  • Enable Tamper Protection: This is the single most effective mitigation. It prevents malicious actors (even with admin rights) from modifying Defender registry keys and disabling protection. Ensure this is enforced via Group Policy (GP) or Microsoft Intune.

    • GP Path: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Tamper Protection.

  • Attack Surface Reduction (ASR) Rules: Enable rule "Block abuse of exploited vulnerable signed drivers" (GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5) to mitigate the LPE aspect involving driver interaction.

3. Official Vendor Guidance

Review the official Microsoft Security Advisory for the most detailed configuration baselines:

4. Workarounds (If patching is delayed)

If immediate patching is not feasible for specific legacy systems:

  • Restrict access to MpCmdRun.exe via AppLocker or Windows Defender Application Control (WDAC), allowing only NT AUTHORITY\SYSTEM to execute it (this may break manual admin troubleshooting but mitigates the threat).
  • Monitor closely using the Sigma rules provided above.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoft-defendercve-2024-38200cve-2024-38201

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action