LockBit Operators Abuse Microsoft Defender To Load Cobalt Strike Beacon


Researchers at the cybersecurity firm SentinelOne have discovered that Microsoft’s Windows Defender is being exploited by a threat actor involved in the LockBit 3.0 ransomware operation to load Cobalt Strike beacons on potentially compromised systems and evade EDR and AV detection tools.

The researchers found that Microsoft Defender’s command-line tool “MpCmdRun.exe” was misused to sideload malicious DLLs that decrypt and install Cobalt Strike beacons on victims’ PCs.

For those who don’t know, MpCmdRun is an important part of Microsoft’s Windows security system that helps protect your PC from online threats and malware.

“During a recent investigation, we found that threat actors were misusing the Windows Defender command-line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads,” SentinelOne wrote in detail about the new attack in its blog post.

lokbit sideloading attack

In both cases, the initial compromise on the target occurred by exploiting the Log4j vulnerability against an unpatched VMWare Horizon Server to run PowerShell code. and Control (C2) server.

The threat actor downloads a malicious DLL, the encrypted payload and the legitimate tool from their controlled C2:

Specifically, the threat actor uses the legitimate Windows Defender command-line tool MpCmdRun.exe to decode and load Cobalt Strike payloads.

[…] MpCmd.exe (sic) being abused to load an armed mpclient.dllwhich loads and decodes Cobalt Strike Beacon from the c0000015.log file.

As such, the components used in the attack are specifically related to using the Windows Defender command-line tool:

File name Description
mpclient.dll Armed DLL loaded by MpCmdRun.exe
MpCmdRun.exe Genuine/Signed Microsoft Defender Utility
C0000015.log Encrypted Cobalt Strike Charge

For more technical details, check out the official blog post here.

Leave a Comment