Cybersecurity research company SentinelOne has published news today that should put Microsoft on high alert if it"s not already. The former has discovered that the Redmond"s giant in-house anti-malware solution is being abused to load Cobalt Strike beacon on to potential victims. The threat actors in this case are LockBit Ransomware as a Service (RaaS) operators and affiliates who are using the dedicated command-line tool in Defender dubbed "mpcmdrun.exe", among other things, to infect victim PCs.
In its blog post describing this new attack, SentinelOne says:
During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
[...]
Notably, the threat actor leverages the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
The attack process works pretty much the same way as a previous VMware CLI case. The threat actors essentially exploit the Log4j vulnerability to download the MpCmdRun, the "mpclient" malicious DLL file and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server to infect a potential victim"s system.
[...] MpCmd.exe (sic) is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.
As such, the components used in the attack specifically related to the use of the Windows Defender command line tool are:
Filename Description MpCmdRun.exe
Legitimate/signed Microsoft Defender utility mpclient.dll Weaponized DLL loaded by MpCmdRun.exe C0000015.log
Encrypted Cobalt Strike payload
The following diagram shows the attack chain:
You can find the Indicators of Compromise as well as more technical details on the official blog post here.