A Sentinel One investigation revealed threat actors (TA) have been abusing the Windows Defender command line tool to decrypt and load Cobalt Strike payloads.
The cybersecurity experts detailed their findings in an advisory last week, in which they said the TA managed to carry out the attacks after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.
The attackers reportedly modified the Blast Secure Gateway component of the application by installing a web shell using PowerShell code.
Comments are closed.