The exploit associated with Windows Defender (0BEFB96279DA248F6D49169E047EE7AB) is a malicious script that tries to disable or bypass the security features of Windows Defender and download and execute various types of malware on the infected device. The script is part of a larger campaign that targets organizations with cryptominers, keyloggers, and backdoors¹.

The script, named runxm1.cmd, is usually delivered through exploiting vulnerabilities on servers and workstations¹. It attempts to manipulate the registry settings of Windows Defender to disable its protection and add several files to its exceptions list. These files are used at different stages of the attack and include:

The script also tries to obtain administrator rights and rename folders of known security solutions to prevent them from running on the device¹. It then accesses a domain that hosts a platform that displays real-time cryptocurrency exchange rates and downloads the aforementioned files from there¹. Finally, it runs the cryptominer and the backdoor using the configuration file as an argument¹.

The exploit takes advantage of several mitigations that can be applied to either the operating system or individual apps through Windows Defender Exploit Guard. Exploit Guard is a feature that helps protect against malware that uses exploits to infect devices and spread². It consists of many mitigations that can be enabled or disabled separately by using various methods, such as the Windows Security app, Microsoft Intune, Microsoft Configuration Manager, Group Policy, or PowerShell².

Some of the mitigations that are relevant for this exploit are:

To protect against this exploit, it is recommended to enable these mitigations system-wide or for individual apps using Exploit Guard. It is also important to keep Windows Defender updated and scan the device regularly for any signs of infection. Additionally, it is advisable to avoid opening suspicious links or attachments, and use strong passwords and multi-factor authentication for online accounts.

(1) Organizations under attack from cryptominer-keylogger-backdoor combo ….
(2) Turn on exploit protection to help mitigate against attacks.
(3) Customize exploit protection | Microsoft Learn.
(4) Exploit protection reference | Microsoft Learn.
(5) Windows Defender Exploit Guard: Reduce the attack surface against next ….