LockBit operator abuses Windows Defender to load Cobalt Strike


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
A threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade detection by security software.

Cobalt Strike is a legitimate penetration testing suite with extensive features popular among threat actors to perform stealthy network reconnaissance and lateral movement before stealing data and encrypting it.

However, security solutions have become better at detecting Cobalt Strike beacons, causing threat actors to look for innovative ways to deploy the toolkit.

In a recent incident response case for a LockBit ransomware attack, researchers at Sentinel Labs noticed the abuse of Microsoft Defender’s command line tool “MpCmdRun.exe” to side-load malicious DLLs that decrypt and install Cobalt Strike beacons.

The initial network compromise in both cases was conducted by exploiting a Log4j flaw on vulnerable VMWare Horizon Servers to run PowerShell code.

Side-loading Cobalt Strike beacons on compromised systems isn’t new for LockBit, as there are reports about similar infection chains relying on the abuse of VMware command line utilities.

Andy Ful

From Hard_Configurator Tools
Honorary Member
Top Poster
Dec 23, 2014
The title of the article can be incorrectly understood. This attack does not abuse Windows Defender protection. It can be performed with any Anti Virus installed, because the LOLBin MpCmdRun is a part of the Windows system.
Such attacks are strictly related to Enterprises. The DLL side-loading via abusing outdated & vulnerable legitimate tools is commonly used there for persistence and masquerading. The attackers intentionally choose the outdated binaries of Antivirus (Microsoft Defender, McAfee, Kaspersky, Symantec, etc.) or software popular in Enterprises (Citrix, Google, Java, Microsoft, VMware, etc.) - the purpose is to hide under something that looks normal among many administrative events.


Many examples can be found here:

Anyway, the attacks via DLL side loading can be used also against home users to avoid some anti-0-day security layers (like SmartScreen, some ASR rules, Avast CyberCapture, etc.). But then, the attackers will not use the executables related to AVs, but rather outdated & vulnerable versions of applications used at home.
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.