Subject: LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
OVERVIEW Threat actors can abuse the command line tool MPCmdRun.exe to decrypt and load Cobalt Strike payloads.
SYSTEMS AFFECTED: Systems running Windows Defender
RISK: Threat actors can use the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads
THREAT SUMMARY:
Overview On July 28, 2022 SentinelLabs revealed that threat actors have been using the legitimate Windows Defender command line tool MPCmdRun.exe to sideload a malicious mpclient.dll. Once an actor has sufficient privileges they download a malicious DLL, the encrypted payload, and the legitimate tool from their controlled C2 using PowerShell. MpCmdRun.exe is then used to decrypt and load Cobalt Strike payloads.
CyFlare Actions Taken: • Stellar Cyber – BDS: We have implemented a custom rule to detect command line activity related to this exploit • SentinelOne: We have implemented a custom STAR query to detect currently known indicators of compromise regarding this vulnerability
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.