LockBit 3.0 Ransomware Attack Detection: Deploy Cobalt Strike Beacons Abusing Microsoft Defender
Table of contents:
LockBit threat actors have been recently under the spotlight in the cyber domain. In July 2022, the hacking collective hit the headlines by introducing the first-ever bug bounty program launched by a ransomware gang. In the latest cyber-attacks, the notorious ransomware group applies Living-off-the-Land tools by abusing the legitimate Microsoft Defender’s command-line utility to deploy Cobalt Stike beacons on the targeted systems while using a series of anti-analysis techniques to evade detection.
Detecting LockBit Attacks: Cobalt Strike Beacons Deployed by Abusing Microsoft Defender
Since it emerged in June 2022, LockBit 3.0 (aka LockBit Black) ransomware version poses an increasing menace to businesses worldwide. The novel strain features advanced functionality and leverages new tactics to increase the infection rates and ensure profits for RaaS ring affiliates. To help security practitioners identify the malicious activity associated with the latest LockBit campaign, the SOC Prime Team released a curated Sigma rule to detect possible Microsoft Defender abuse aimed at Cobalt Strike beacons sideloading.
Possible MpClient.dll Hijack (via image_load)
This detection supports translations to 20 SIEM, EDR, and XDR platforms. The rule is mapped to the MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with DLL Search Order Hijacking (T1059) as the primary technique.
Eager to create your own Sigma rules to detect emerging threats and make the world a safer place? Join our Threat Bounty Program for cyber defenders, share your Sigma-based detection algorithms, and receive repeated payouts for your contribution.
The complete list of Sigma rules to detect any ransomware strain associated with LockBit hackers is available to all registered Detection as Code Platform users. Just hit the Detect & Hunt button and reach a dedicated list of algorithms available from the Threat Detection Marketplace repository. Non-registered users might check our Cyber Threats Search Engine to access relevant Sigma rules accompanied with MITRE ATT&CK context and CTI links. Press the Explore Threat Context button for a streamlined content search.
Detect & Hunt Explore Threat Context
Analyzing LockBit Ransomware Attacks: The Latest Campaign Sideloading Cobalt Strike Beacons
LockBit 3.0 (aka LockBit Black) resurfaced in the cyber threat arena as the next iteration of the LockBit RaaS family enhanced with more sophisticated capabilities and featuring a set of anti-analysis and anti-debugging techniques. The adversary activity of LockBit operators leveraging the RaaS model traces back to 2019 with the rapid evolution of applied malicious strains and an expanded arsenal of tools. Throughout 2020-2021, LockBit ranked among the most active and infamous malicious strains leveraging a variety of attack vectors and adversary techniques to spread infection. Commonly, ransomware maintainers used the phishing email attack vector to gain initial access to the compromised environment, followed by the reconnaissance stage to perform lateral movement and proceed with the infection process. In June 2021, the ransomware gang released the upgraded version LockBit 2.0, weaponizing unpatched vulnerabilities, zero-day exploits, and leveraging a wide range of adversary TTPs.
The latest iteration of the notorious RaaS operations abuses the Microsoft Defender’s tool to deploy Cobalt Strike payloads on the compromised systems. The LockBit attack chain starts by gaining initial access through the nefarious Log4Shell vulnerability exploitation on the vulnerable VMWare Horizon server to execute PowerShell code. After gaining required user privileges, attackers attempt to launch post-exploitation tools and load Cobalt Strike beacons. The legitimate Microsoft Defender’s command-line utility MpCmdRun.exe is applied for side-loading a malicious DLL file, which decrypts and deploys the payloads.
With LockBit ransomware operators expanding their adversary toolkit through the use of Living-off-the-Land tools, timely detection of tricky ransomware attacks of such scale and sophistication requires keen attention from cyber defenders. SOC Prime’s Detection as Code platform enables cybersecurity professionals to seamlessly boost their threat detection capabilities and increase threat hunting velocity while constantly staying ahead of current and emerging ransomware attacks. Seasoned and aspiring Detection Engineers and Threat Hunters are prompted to join Threat Bounty Program to enrich the collaborative expertise with their detection content, monetize their input, and contribute to the future of cyber defense.