Windows Defender Command Line Abused by LockBit Hackers to Load CobaltStrike

According to the Sentinel Labs researchers, LockBit ransomware operators have been abusing Microsoft Defender’s command line tool “MpCmdRun.exe” to side-load malicious DLLs that decrypt and install Cobalt Strike beacons. The tactic of side-loading Cobalt Strike on targeted systems has previously been used by LockBit, as indicated by the previous abuse of VMware command line utilities. The initial compromise method also stayed the same - in both cases attackers exploited a Log4j flaw on vulnerable VMWare Horizon Servers to run PowerShell code. Read more...