A threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade detection by security software.
Cobalt Strike is a legitimate penetration testing suite with extensive features popular among threat actors to perform stealthy network reconnaissance and lateral movement before stealing data and encrypting it.
However, security solutions have become better at detecting Cobalt Strike beacons, causing threat actors to look for innovative ways to deploy the toolkit.
In a recent incident response case for a LockBit ransomware attack, researchers at Sentinel Labs noticed the abuse of Microsoft Defender’s command line tool “MpCmdRun.exe” to side-load malicious DLLs that decrypt and install Cobalt Strike beacons.
The initial network compromise in both cases was conducted by exploiting a Log4j flaw on vulnerable VMWare Horizon Servers to run PowerShell code.
Side-loading Cobalt Strike beacons on compromised systems isn’t new for LockBit, as there are reports about similar infection chains relying on the abuse of VMware command line utilities.
Abusing Microsoft Defender
After establishing access to a target system and gaining the required user privileges, the threat actors use PowerShell to download three files: a clean copy of a Windows CL utility, a DLL file, and a LOG file.
MpCmdRun.exe is a command line utility to perform Microsoft Defender tasks, and it supports commands to scan for malware, collect information, restore items, perform diagnostic tracing, and more.
When executed, the MpCmdRun.exe will load a legitimate DLL named “mpclient.dll” that is required for the program to operate correctly.
In the case analyzed by SentinelLabs, the threat actors have created their own weaponized version of the mpclient.dll and placed it in a location that prioritizes loading the malicious version of the DLL file.
Abused executable signed by Microsoft (Sentinel Labs)
The executed code loads and decrypts an encrypted Cobalt Strike payload from the “c0000015.log” file, dropped along with the other two files from the earlier stage of the attack.
LockBit 3.0 attack chain (Sentinel Labs)
While it’s unclear why the LockBit affiliate switched from VMware to Windows Defender command line tools for side-loading Cobalt Strike beacons, it might be to bypass targeted protections implemented in response to the previous method.
Using “living off the land” tools to evade EDR and AV detection is extremely common these days; hence organizations need to check their security controls and show vigilance with tracking the use of legitimate executables that could be used by attackers.