Lockbit3.0-MpClient-Defender-PoC
Lockbit3.0 Microsoft Defender MpClient.dll DLL Hijacking PoC
Based on: LockBit ransomware abuses Windows Defender to load Cobalt Strike
How to test by yourself
- Create a new directory, copy
C:\Program Files\Windows Defender\MpCmdRun.exe
orC:\Program Files\Windows Defender\NisSrv.exe
in this new directory - Copy
mpclient-mpcmdrun.dll
ormpclient-nissrv.dll
(depends of the binary that you want to test) and rename the dllmpclient.dll
. - Run the executable.
How to compile
- Install https://releases.llvm.org/download.html
- Reboot your computer
If you want to try MpCmdRun.exe:
clang++ dllmain-mpcmdrun.cpp -o mpclient.dll -shared
If you want to try NisSrv.exe:
clang++ dllmain-NisSrv.cpp -o mpclient.dll -shared
Yara Rule
Check the file lockbit3mpclientdefender.yar