Researchers from the cybersecurity company, SentinelOne have discovered that Microsoftโs Windows Defender is being abused by a threat actor associated with the LockBit 3.0 ransomware operation to load Cobalt Strike beacons onto potentially compromised systems and evade EDR and AV detection tools.
The researchers found that Microsoft Defenderโs command line tool โMpCmdRun.exeโ was abused to side-load malicious DLLsย that decrypt and install Cobalt Strike beacons on victimsโ PCs.
For those unaware, MpCmdRun is an important part of Microsoft’s Windows Security system thatย helps protect your PC from online threats and malware.
โDuring a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads,โ SentinelOne wrote in detail about the new attack in its blog post.
The initial target compromiseย in both cases occurred by exploiting theย Log4j vulnerability against an unpatched VMWare Horizon Server to run PowerShell code, which downloaded the MpCmdRun.exe, the “mpclient” malicious DLL file, and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server.ย
The threat actor downloads a malicious DLL, the encrypted payload, and the legitimate tool from their controlled C2:ย
Notably, the threat actor leverages the legitimate Windows Defender command line toolย MpCmdRun.exeย to decrypt and load Cobalt Strike payloads.
[…]ย MpCmd.exeย (sic) is abused to side-load a weaponizedย mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.
As such, the components used in the attack specifically related to the use of the Windows Defender command line tool are:
Filename | Description |
mpclient.dll | Weaponized DLL loaded by MpCmdRun.exe |
MpCmdRun.exe | Legitimate/signed Microsoft Defender utility |
C0000015.log | Encrypted Cobalt Strike payload |
For more technical details, you can check out the officialย blog post here.