Threat Watch

LockBit Affiliates Utilize Windows Defender LOLBAS to Load Cobalt Strike

Researchers at SentinelLabs reported that a LockBit affiliate has begun leveraging the legitimate Windows Defender command line tool “MpCmdRun.exe” in order to decrypt and load Cobalt Strike beacons.

The LockBit attack began as a Log4j exploitation against an out-of-date VMware Horizon server. By modifying the Blast Secure Gateway component of VMware Horizon, the threat actor achieved a PowerShell based web shell for initial access.

The operator then downloaded three malicious files on to the victim host: “mpclient.dll”, “C0000015.log”, and a copy of “MpCmdRun.exe”. Using DLL side-loading techniques, the operator executed the legitimate Windows Defender tool “MpCmdRun.exe” so that the malicious DLL was loaded instead of a legitimate one. Once the malicious DLL is loaded, it decrypts and loads the Cobalt Strike beacon located inside “C0000015.log” to establish persistent Command and Control (C2).

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Defenders are encouraged to be alert to evolving use of living off the land scripts and binaries (LOLBAS) to evade security controls. Due to the trusted nature of native Windows binaries, these techniques have the potential to evade EDR and AV tools. Establishing a baseline for endpoint processes can help in determining unusual usages of native Windows tools. Custom EDR and SIEM detections that incorporate an organization’s unique baseline activity and focus on post exploitation activity, a part of Binary Defense’s Threat Hunting services, are recommended in order to detect LOLBAS exploitation.

https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support