LockBit operator exploits Windows Defender in order to load Cobalt Strike

A threat actor linked to the LockBit 3.0 ransomware operation is exploiting the Windows Defender command line tool to install Cobalt Strike beacons on compromised systems and avoid detection by security software.

Sentinel Labs researchers discovered the use of Microsoft Defender’s “MpCmdRun.exe” tool to side-load malicious DLLs that decrypt and install Cobalt strike beacons.

Threat actors download three files after gaining access to a target system: a clean copy of a Windows CL utility, a DLL file, and a LOG file.

MpCmdRun.exe is a command line utility that supports commands to scan for malware, collect information, restore items, and perform diagnostic tracing, among other things.

The executed code loads and decrypts a Cobalt Strike payload encrypted in the “c0000015.log” file. Organizations must audit their security controls and monitor the use of legitimate executables that could be used by attackers.