Windows Defender Flaw Enables Service Hijacking via Symbolic Links

A severe vulnerability in Windows Defender’s update mechanism has been discovered, allowing attackers with administrator privileges to disable the antivirus service and modify its core files. The flaw resides in the way Defender selects its execution folder during startup and updates.

By exploiting this oversight, an attacker can redirect the service to load from an attacker-controlled directory, thereby gaining full control over Defender’s processes and file system.

This technique requires only built-in Windows tools and no additional malware.

Windows Defender normally installs its engine and executable files in a versioned subfolder under ProgramDataMicrosoftWindows DefenderPlatform.

When the WinDefend service initializes or applies an update, it scans this Platform directory and chooses the folder whose name reflects the highest version number.

Microsoft enforces filesystem protections on these folders to prevent modification, but researchers at Zero Salarium discovered that administrators can still create new directories within Platform.

Subverting this version‐selection logic involves creating a symbolic link—using mklink—with a folder name that appears to increment Defender’s version.

The symlink is placed alongside the legitimate versioned folders but points to an unsecured location, such as C:TMPAV, containing copies of the Defender executables.

At the next system reboot, WinDefend misidentifies the symlinked folder as the newest version and launches from the attacker-controlled path.

From there, the intruder gains full read and write privileges over the Defender binaries in use.

Once control is achieved, the attacker can perform a variety of malicious actions.

In one scenario, planting a malicious DLL in the directory can facilitate a DLL side‐loading attack, injecting arbitrary code into a process trusted by the operating system.

Alternatively, an adversary could simply delete key Defender executable files, effectively stopping the service and disabling all real-time protection.

In proof-of-concept demonstrations, removing the symlink after the hijack prevented Defender from locating its engine on subsequent startups, leaving the endpoint entirely unprotected.

Table 1 outlines the step-by-step flow of the exploit and its impact on system security.

Step	Action	Impact
1	Copy Defender executables to attacker‐controlled folder (e.g., C:TMPAV)	Establishes unsecured location with valid binaries
2	Reboot the system or restart WinDefend service	Redirects Defender’s version‐selection mechanism
3	Defender launches from an attacker‐controlled directory	Manipulate files in a symlinked folder (e.g., DLL side‐loading or deletion)
4	Establishes an unsecured location with valid binaries	Enables code execution or permanent service disablement

Exploiting the Update Mechanism

This vulnerability highlights the ongoing cat-and-mouse battle between attackers and endpoint protection systems.

While red teams often focus on evading detection, this method allows for direct neutralization of the defense service itself.

Microsoft has yet to issue an official patch addressing the symlink creation loophole.

Until a fix is released, system administrators should monitor the Platform directory for unauthorized entries and enforce stricter filesystem ACLs to block the creation of new folders by non-system processes.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Windows Defender Flaw Enables Service Hijacking via Symbolic Links appeared first on Cyber Security News.