DefenderWrite: Abusing Whitelisted Programs for Arbitrary Writes

Posted by on

DefenderWrite post logo

 I. OVERVIEW

During the penetration testing process or red team activities, attackers always need to find a safe spot to drop their payloads, and such places may also serve as storage for files intended for persistence.

One of the safest places to write payloads and offensive tools is the folder of executable files for Antivirus (AV) software. Since these folders are protected by the AV, preventing users from writing files into them, they automatically become part of the "exception" list.

In this article, I will introduce a tool that helps find and exploit programs whitelisted by Antivirus  to allow arbitrary file writing into the folder containing the AV's executable files.

I will also experiment with this tool using Windows Defender Antivirus (I have also tested it with three other Antivirus products, and it was possible to perform arbitrary file writing in all cases).

Find me on X to get the latest pentest and red team tricks that I've been researching: Two Seven One Three (@TwoSevenOneT) / X

II. CORE

1. The Idea Of Finding A Way To Write Into A Write-Blocked Folder

As you may know, the executable folder of Antivirus software is always protected by blocking write operations. Unless you have kernel privileges or exploits for the Antivirus software, it is highly likely that you won't be able to write arbitrary files into these folders.

However, AV also needs to be installed or updated, right? If so, there is a possibility that there is a program already present in Windows, not part of the Antivirus software, that has permission to write files into the executable folder of the AV.

I will take the following steps to identify these programs:

  1. Create a list of all executable files present on Windows (for example, all .exe files in C:\Windows).
  2. Sequentially run each of these .exe files using CreateProcess.
  3. Remotely inject a DLL through the newly created process.
  4. The DLL has the function to write a file into a specified folder and return a success or failure result.
  5. After obtaining the result, terminate this process and move on to the next .exe file.

By this simple method, I have identified programs that can write into the executable folder of Windows Defender and several other types of AVs without needing kernel privileges or exploits.

2. Introduction To The Tool "DefenderWrite"

I developed the DefenderWrite tool with the ability to remotely inject DLLs and write files to a specified path.

You can download this tool via the following link:

https://github.com/TwoSevenOneT/DefenderWrite

DefenderWrite includes the following parameters:

DefenderWrite arguments

TargetExePath: the path to the executable file that needs to be run.

FullDLLPath: the path to the DLL file to be remotely injected; it must be an absolute path.

FileToWrite: the file you want the remote process to create, typically a path pointing to a file inside the Antivirus installation folder

Parameter "c": DefenderWrite will remotely copy FullDLLPath to the destination specified by FileToWrite


3. Use The Script “Run_Check.ps1” To Identify Files That Are Whitelisted

I’ve bundled the “Run_Check.ps1” script into the DefenderWrite project.

https://github.com/TwoSevenOneT/DefenderWrite/blob/master/Run_Check.ps1

This script scans all .exe files in C:\Windows, then uses DefenderWrite to check which ones are on the antivirus whitelist.

DefenderWrite with Run_Check.ps1 script

You can tweak the script with paths that match your lab machine's environment.

4. Experimenting with DefenderWrite using Windows Defender

I'll be running experiments with Windows Defender version 4.18.25070.5-0 on Windows 11 24H2.

After running "Run_Check.ps1", I ended up with 4 files that made it onto the whitelist:

  • C:\Windows\System32\msiexec.exe
  • C:\Windows\System32\Register-CimProvider.exe
  • C:\Windows\System32\svchost.exe
  • C:\Windows\System32\lsass.exe

I'll use the program "C:\Windows\System32\msiexec.exe" to drop a DLL into the Windows Defender folder.

DefenderWrite can write to protected folder of Windows Defender

As shown in the image above, DefenderWrite can exploit "msiexec.exe" to arbitrarily write files into the Windows Defender installation folder.

I also ran experiments with the AVs listed below, and the results were quite surprising: each of them had at least one whitelisted file that could be exploited to arbitrarily write files into their execution folders.

  • BitDefender Antivirus
  • TrendMicro Antivirus Plus
  • Avast Antivirus

I won’t disclose the specific whitelist files for these AVs. You’re welcome to run your own experiments.

5. Video summary and demo run

YouTube: https://youtu.be/n8FuFoPEZHs


III. SUMMARY

Antivirus programs typically shield themselves by blocking arbitrary file writes to their execution folders. To ensure stable operation, these folders are often placed on the antivirus exception list.

So once malware manages to drop its payload into the AV’s folder, it can slip past scans—and even enjoy protection from the antivirus itself.

DefenderWrite is a tool designed to locate and exploit whitelisted programs to arbitrarily write files into the antivirus installation folder.

All four antivirus programs tested had at least one whitelisted file that could be exploited for arbitrary file writing.

IV. READING

Some books you should read to sharpen your cybersecurity skills, especially in offensive security:

Books on Programming and Cybersecurity recommended by Zero Salarium Researchers


Author of the article: Two Seven One Three

Comments

  1. Armor-64October 20, 2025 at 5:40 AM

    CrowdStrike Falcon and Palo Alto Cortex Find it and blocks it, Bitdefender gravity zone with EDR runs it but i didn't try to run it just yet.

    ReplyDelete
    Replies
    1. Zero SalariumOctober 20, 2025 at 6:27 AM

      You should run this tool in a lab environment and configure it so that it can operate. Our goal is to use it to find whitelisted programs.

      Delete

Post a Comment