VERY IMPORTANT

Defender Control is a free software utility DFIR Report has come across in various intrusions. Defender Control is common among the smaller ransomware players. Those like Dharma, Phobos, and Crysis. In our experience, these groups’ main point of entry tends to be exposed RDP. After gaining access, these threat actors often do not take the time or effort to fully scope, or compromise a domain before ransoming, usually a single system. We’ve seen these threat actors get blocked by Defender and then minutes later Defender Control gets copied over and run.