Create a random staging directory. Ingress an encoded agent payload along with a vulnerable Windows Defender binary.
Copy the on target certutil payload to the directory then decode the agent payload and side-load it by launch the vulnerable
Windows Defender.