Beware: LockBit actors using Microsoft Defender to infect PCs with Cobalt Strike beacon

Bug on Windows Defender

Cybersecurity research company SentinelOne has published news today that should put Microsoft on high alert if it's not already. The former has discovered that the Redmond's giant in-house anti-malware solution is being abused to load Cobalt Strike beacon on to potential victims. The threat actors in this case are LockBit Ransomware as a Service (RaaS) operators and affiliates who are using the dedicated command-line tool in Defender dubbed "mpcmdrun.exe", among other things, to infect victim PCs.

In its blog post describing this new attack, SentinelOne says:

During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.


Notably, the threat actor leverages the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

The attack process works pretty much the same way as a previous VMware CLI case. The threat actors essentially exploit the Log4j vulnerability to download the MpCmdRun, the "mpclient" malicious DLL file and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server to infect a potential victim's system.

[...] MpCmd.exe (sic) is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.

As such, the components used in the attack specifically related to the use of the Windows Defender command line tool are:

Filename Description


Legitimate/signed Microsoft Defender utility
mpclient.dll Weaponized DLL loaded by MpCmdRun.exe


Encrypted Cobalt Strike payload

The following diagram shows the attack chain:

Defender used to deliver malicious Cobalt Strike payload

You can find the Indicators of Compromise as well as more technical details on the official blog post here.

Report a problem with article
Intel Arc logo on a blue background
Next Article

Intel Arc beta driver fixes Forza Horizon 5, Call of Duty bugs, and more

Amazon Drive logo on sunset background
Previous Article

Amazon is killing its cloud storage service, Amazon Drive, after 11 years

Join the conversation!

Login or Sign Up to read and post a comment.

18 Comments - Add comment