LockBit Ransomware Abuses Legitimate Windows Defender Utility
The initial target compromise happened via the Log4j vulnerability against an unpatched VMWare Horizon Server. The attackers modified the Blast Secure Gateway component of the application installing a web shell using PowerShell code found documented here. Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire and a new way to side-load Cobalt Strike. In particular, when attempting to execute Cobalt Strike, Sentinel One observed a new legitimate tool used for side-loading a malicious DLL, that decrypts the payload. Previously observed techniques to evade defenses by removing EDR/EPP’s userland hooks, Event Tracing for Windows and Antimalware Scan Interface were also observed.
Featured Resources
blog
When Operational Efficiency Equals Compliance
This is Part 3 of our five-part series on Continuous Threat Exposure Management (CTEM). In today’s regulatory landscape, operational efficiency
CUSTOMERS
Non-profit Increases Financial Efficiency and Strengthens Cybersecurity Defenses
Facing increasing threats and tighter budgets, Walsall Housing Group Limited (whg), a UK housing association, turned to Cymulate to optimize
blog
Finding the Right Fit: Vulnerability Assessment vs. Penetration Testing
With more cyber threats than ever before, protecting your organization’s assets and sensitive data has never been more critical. Businesses
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe