Researchers at SentinelLabs reported that a LockBit affiliate has begun leveraging the legitimate Windows Defender command line tool “MpCmdRun.exe” in order to decrypt and load Cobalt Strike beacons.
The LockBit attack began as a Log4j exploitation against an out-of-date VMware Horizon server. By modifying the Blast Secure Gateway component of VMware Horizon, the threat actor achieved a PowerShell based web shell for initial access.
The operator then downloaded three malicious files on to the victim host: “mpclient.dll”, “C0000015.log”, and a copy of “MpCmdRun.exe”. Using DLL side-loading techniques, the operator executed the legitimate Windows Defender tool “MpCmdRun.exe” so that the malicious DLL was loaded instead of a legitimate one. Once the malicious DLL is loaded, it decrypts and loads the Cobalt Strike beacon located inside “C0000015.log” to establish persistent Command and Control (C2).
Defenders are encouraged to be alert to evolving use of living off the land scripts and binaries (LOLBAS) to evade security controls. Due to the trusted nature of native Windows binaries, these techniques have the potential to evade EDR and AV tools. Establishing a baseline for endpoint processes can help in determining unusual usages of native Windows tools. Custom EDR and SIEM detections that incorporate an organization’s unique baseline activity and focus on post exploitation activity, a part of Binary Defense’s Threat Hunting services, are recommended in order to detect LOLBAS exploitation.