{"id":10566,"date":"2020-07-08T09:00:00","date_gmt":"2020-07-08T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/"},"modified":"2020-07-08T09:00:00","modified_gmt":"2020-07-08T08:00:00","slug":"attack-detection-fundamentals-discovery-and-lateral-movement-lab-1","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/","title":{"rendered":"Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #1"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; <span class=\"blue-text\">Lab #1<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Identity security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                08 Juli, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Teilen Sie dies                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_dca54a9145c3f1fd012c2a00c257ce85\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Inhaltliche Navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    W\u00e4hlen Sie einen Abschnitt                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the third part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts.<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/Pv8eHC1a_bc\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the first lab of this workshop, we are once again going to make use of the Covenant framework. We will launch a basic executable launcher and, from there, explore some techniques for acquiring user credential material through kerberoasting and AS-REP roasting. Both of these will be achieved using <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/\" target=\"_blank\" rel=\"noopener\">Rubeus<\/a>, one of the many tools integrated into Covenant. There is also a further exercise using the functionality provided by <a href=\"https:\/\/github.com\/cobbr\/SharpSploit\/\" target=\"_blank\" rel=\"noopener\">SharpSploit<\/a> to enumerate domain users and groups.<\/p>\n<p>From a detection standpoint, we will make use of a telemetry source that we haven\u2019t touched on too much yet, Event Tracing for Windows, aka ETW. Understanding the ins and outs of ETW isn\u2019t a topic for this post, though there are plenty of great resources available to further your understanding (Roberto Rodriguez\u2019s <a href=\"https:\/\/medium.com\/threat-hunters-forge\/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0\" target=\"_blank\" rel=\"noopener\">post<\/a> is probably a good place to start). For the purposes of this exercise, the important thing to note is that we can create <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/etw\/about-event-tracing#consumers\" target=\"_blank\" rel=\"noopener\">consumers<\/a> that, as the name suggests, consume events from event providers. These providers allow us to get access to telemetry from a wide array of system operations. These include everything from network activity to the use of .NET. For this lab, we\u2019re going to log ETW events using SilkService, an open-source tool developed by Ruben Boonen.<\/p>\n<p>By Ruben\u2019s own admission, SilkService is not an enterprise-ready tool that should be deployed across a corporate estate, but it\u2019s exactly what we need to demonstrate the value of ETW as a log source, and demonstrate some of the telemetry that Endpoint Detection and Response (EDR) providers make use of to detect malicious activity.<\/p>\n<p>We won\u2019t walk through the setup of SilkService here (both Ruben\u2019s <a href=\"https:\/\/github.com\/fireeye\/SilkETW\/\" target=\"_blank\" rel=\"noopener\">README<\/a> and Roberto\u2019s blog cover this). To keep things simple though, provided below is the SilkService configuration we\u2019ll be using for this lab. This registers a single consumer, capturing events from the Microsoft-Windows-LDAP-Client ETW provider. This will capture all the LDAP queries that our host makes as we carry out our activities.<\/p>\n<pre><code class=\"language-bash\">&lt;SilkServiceConfig&gt;\n&lt;!--\nMicrosoft-Windows-LDAP-Client ETW Provider\n--&gt;\n&lt;ETWCollector&gt;\n&lt;Guid&gt;859efb51-6985-480f-8094-77192b2a7407&lt;\/Guid&gt;\n&lt;CollectorType&gt;user&lt;\/CollectorType&gt;\n&lt;ProviderName&gt;099614a5-5dd7-4788-8bc9-e29f43db28fc&lt;\/ProviderName&gt;\n&lt;UserKeywords&gt;0x1&lt;\/UserKeywords&gt;&lt;!--Search--&gt;\n&lt;OutputType&gt;eventlog&lt;\/OutputType&gt;\n&lt;\/ETWCollector&gt;\n&lt;\/SilkServiceConfig&gt;<\/code><\/pre>\n<p>NOTE: The userkeywords field set to 0x1, <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/desktop\/ldap\/ldap-and-etw\" target=\"_blank\" rel=\"noopener\">this<\/a> flag specifies that we only want to log search requests and the parameters passed to them. The responses to our search queries aren\u2019t logged.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/gist.github.com\/guitarrapc\/35a94b908bad677a7310#file-providerlist-txt-L681\" target=\"_blank\" rel=\"noopener\">ETW Providers List<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-gb\/archive\/blogs\/ntdebugging\/part-1-etw-introduction-and-overview\" target=\"_blank\" rel=\"noopener\">Microsoft ETW Introduction and Overview<\/a><\/li>\n<li><a href=\"https:\/\/blog.f-secure.com\/detecting-parent-pid-spoofing\/\" target=\"_blank\" rel=\"noopener\">Detecting Parent PID Spoofing<\/a><\/li>\n<li><a href=\"https:\/\/blog.f-secure.com\/detecting-malicious-use-of-net-part-1\/\" target=\"_blank\" rel=\"noopener\">Detecting Malicious Use of .NET Part 1<\/a> and <a href=\"https:\/\/blog.f-secure.com\/detecting-malicious-use-of-net-part-2\/\" target=\"_blank\" rel=\"noopener\">Part 2<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/fireeye\/SilkETW\" target=\"_blank\" rel=\"noopener\">SilkETW and SilkService<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/cobbr\/Covenant\" target=\"_blank\" rel=\"noopener\">Covenant<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/cobbr\/SharpSploit\" target=\"_blank\" rel=\"noopener\">SharpSploit<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/GhostPack\/Rubeus\" target=\"_blank\" rel=\"noopener\">Rubeus<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/threat-hunters-forge\/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0\" target=\"_blank\" rel=\"noopener\">Threat Hunting with ETW Events and HELK<\/a><\/li>\n<\/ul>\n<p>DISCLAIMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author. In addition, we have modified our lab environment to include users that are kerberoastable and AS-REP roastable, this setup is left as an exercise for the reader.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Active Directory domain with at least one DC and workstation<\/li>\n<li>HELK (optional)<\/li>\n<li>SilkService<\/li>\n<li>Covenant<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 \u2013 Listener Setup<\/h3>\n<p>From previous workshops you should be familiar with Covenant and its use of Listeners, Launchers and Grunts. As before, we\u2019re going to setup a HTTP listener. Ensure the \u201cConnectAddress\u201d and \u201cConnectPort\u201d parameters are set appropriately.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/covenant-listener-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We\u2019re then going to generate a binary launcher. Ensure we\u2019re using our newly-created listener, and click \u201cGenerate\u201d and then \u201cDownload\u201d.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-grunt-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>You should now have your \u201cGruntStager.exe\u201d file downloaded &#8211; this is our Grunt .NET implant. We\u2019re going to skip our Initial Access step here and simply copy-and-paste the Grunt onto our target host running SilkService.<\/p>\n<h3>2 \u2013 Roastable User Enumeration<\/h3>\n<p>As well as \u201cDomain Admins\u201d and other groups considered <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/appendix-b--privileged-accounts-and-groups-in-active-directory\" target=\"_blank\" rel=\"noopener\">high-value<\/a>, other Active Directory objects are also of interest to us when we carrying out Discovery activities. One notable target is users that are what is colloquially referred to as \u2018roastable\u2019. This includes users that are susceptible to one of the following:<\/p>\n<ul>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1208\/\" target=\"_blank\" rel=\"noopener\">Kerberoasting<\/a><\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/www.harmj0y.net\/blog\/activedirectory\/roasting-as-reps\/\" target=\"_blank\" rel=\"noopener\">AS-REP roasting<\/a><\/li>\n<\/ul>\n<p>While we won\u2019t go into the technical details of how these attacks work here (there are several great blogs on these topics, not least harmj0y\u2019s posts on the subject <a href=\"https:\/\/www.harmj0y.net\/blog\/powershell\/kerberoasting-without-mimikatz\/\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/www.harmj0y.net\/blog\/activedirectory\/roasting-as-reps\/\" target=\"_blank\" rel=\"noopener\">here<\/a>), suffice to say that certain configurations of Active Directory enable the retrieval of credential material for offline brute-forcing.<\/p>\n<h3>Kerberoastable Users<\/h3>\n<p>One tool to achieve both kerberoasting and AS-REP roasting is Rubeus. Conveniently for us, Rubeus, like SharpSploit as we&#x27;ll see later, is integrated into Covenant. Using our existing Grunt implant, we can execute the following command line to attempt to retrieve credential material for all kerberoastable accounts.<\/p>\n<pre><code class=\"language-bash\">Rubeus kerberoast<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/kerberoast-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Looking at that output we can see Rubeus has searched for kerberoastable users, found one such user, and requested the credential material for that user. Now, while there are <a href=\"https:\/\/posts.specterops.io\/capability-abstraction-fbeaeeb26384\" target=\"_blank\" rel=\"noopener\">other<\/a> log sources that can be used to detect the actual kerberoasting action taking place,  for the purposes of this exercise we\u2019re going to concern ourselves with that first stage \u2013 the discovery of users that are kerberoastable.<\/p>\n<p>If we take a look at the Rubeus <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/blob\/1e9fe7c3c2d0458f8200f248079485f3527f314f\/Rubeus\/lib\/Roast.cs#L361\" target=\"_blank\" rel=\"noopener\">codebase<\/a>, we can see this code block (with some additional code removed for readability) assembling an LDAP filter string.<\/p>\n<pre><code class=\"language-bash\">\/\/ if no user specified, filter out the krbtgt account and disabled accounts\nstring userSearchFilter = &quot;&quot;;\n\u2026\nuserFilter = &quot;(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))&quot;;\n\u2026\nstring userSearchFilter = &quot;&quot;;\n\u2026\nstring encFilter = &quot;&quot;;\n\u2026\nuserSearchFilter = String.Format(&quot;(&amp;(samAccountType=805306368)(servicePrincipalName=*){0}{1})&quot;, userFilter, encFilter);<\/code><\/pre>\n<p>In its default setting we end up with a query as follows:<\/p>\n<pre><code class=\"language-bash\">(&amp;(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))<\/code><\/pre>\n<p>Breaking it down we can see the following:<\/p>\n<ul>\n<li>&amp; &#8211; This prefix asserts all subsequent filters must be met.<\/li>\n<li>(samAccountType=805306368) \u2013 Only Active Directory users (not computers, groups, etc.)<\/li>\n<li>(servicePrincipalName=*) \u2013 User accounts that have any service principal name (SPN) entries<\/li>\n<li>(!samAccountName=krbtgt) \u2013 Omit the krbtgt account from this search<\/li>\n<li>(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) \u2013 Omit accounts that are disabled<\/li>\n<\/ul>\n<p>Now if we go and search through our Microsoft-Windows-LDAP-Client ETW provider logs for this filter, we hopefully(!) get a hit:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/kerberoast-etw-trace-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>It\u2019s worth mentioning that Rubeus, and many <a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/GetUserSPNs.py#L278\" target=\"_blank\" rel=\"noopener\">tools<\/a> like it, including a number of filtering options to tailor the kerberoastable users returned. We won\u2019t go into them all here but it\u2019s a worthwhile exercise to read through the Rubeus kerberoasting code and understand the various LDAP filters it can apply.<\/p>\n<p>NOTE: For our purposes, we\u2019re forwarding SilkService logs onto HELK, as described in Roberto Rodriguez\u2019s <a href=\"https:\/\/medium.com\/threat-hunters-forge\/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0\" target=\"_blank\" rel=\"noopener\">blog<\/a>. It\u2019s worth noting though that these are also being logged to the system event log and we could view them there.<\/p>\n<p>This telemetry source is particularly useful as it allows us to trivially map the LDAP queries being made to the processes that executed them. In the screenshot above, we can clearly see \u201cGruntStager\u201d in the ProcessName field &#8211; of course, this isn\u2019t the most discrete! But even in this contrived example, it highlights an opportunity for us to baseline the applications that make LDAP queries and the types of queries that they make. Enumeration of roastable users and high-value AD groups &#8211; including \u201cDomain Admins\u201d but also extending to any business-critical group \u2013 carried out by a process that wouldn\u2019t typically request such information, would be worthy of investigation.<\/p>\n<h3>AS-REP Roastable Users<\/h3>\n<p>In the next exercise for this lab, we\u2019ll try AS-REP roasting, again with Rubeus, and reviewing what our LDAP log source can do for us. As with previous exercises, we can run this straight from our Grunt, this time with the following command:<\/p>\n<pre><code class=\"language-bash\">Rubeus asreproast<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/grunt-asrep.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Using the same approach as before, let\u2019s take a look at the Rubeus codebase and understand the LDAP filter being used to retrieve users that could be subject to an AS-REP roast (again omitting additional filters for readability).<\/p>\n<pre><code class=\"language-bash\">string userSearchFilter = &quot;&quot;;\nif (String.IsNullOrEmpty(userName))\n{\nuserSearchFilter = &quot;(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))&quot;;\n}\n\u2026<\/code><\/pre>\n<p>And again, breaking this query down:<\/p>\n<ul>\n<li>&amp; &#8211; All subsequent filters must be met.<\/li>\n<li>(samAccountType=805306368) &#8211; Only Active Directory users (not computers, groups, etc.)<\/li>\n<li>(userAccountControl:1.2.840.113556.1.4.803:=4194304) \u2013 Users have the &quot;Do not require Kerberos preauthentication&quot; enabled.<\/li>\n<\/ul>\n<p>We can confirm this by performing the LDAP query ourselves. Let\u2019s open Active Directory Users and Computers (ADUC) and select the search feature:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/as-rep-filter.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>From here, we can select \u201cCustom Search\u201d:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/as-rep-filter2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now, if we copy and paste our LDAP query into the search field and search, we see a single user is returned:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/as-rep-filter3.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If we view the account properties of our \u201cAdministrator\u201d user, as we expect, we can see that the \u201cDo not require Kerberos preauthentication\u201d is set to enabled (obviously for our lab we\u2019ve set this account property ourselves!)<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/as-rep-user.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Much like the existence of SPNs for our kerberoastable users, the lack of enforced Kerberos preauthentication is what makes a user AS-REP roastable.<\/p>\n<p>And just as before, looking for evidence of this filter in the logs, we can see the request being made.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/asreproast-etw.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>3 \u2013 Domain Admins Enumeration<\/h3>\n<p>As with many post-exploitation frameworks, Covenant has a ton of functionality that we can use to our advantage when carrying out reconnaissance of our testing environment. One of the most notable inclusions is the integration of <a href=\"https:\/\/github.com\/cobbr\/SharpSploit\" target=\"_blank\" rel=\"noopener\">SharpSploit<\/a> (another toolset developed by Covenant\u2019s author Ryan Cobb). The applications of SharpSploit go far beyond solely reconnaissance, with persistence, lateral movement and privilege escalation techniques included.<\/p>\n<p>As an additional exercise for the reader, we could make use of the Covenant GetDomainGroup or GetDomainUser commands. For the former, as the name suggests, we can pass it a group-of-interest as an argument &#8211; in this case \u201cDomain Admins\u201d &#8211; and if successful it will return information about that group. We could also customise the Covenant Tasks to accept LDAP filters or make use of <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/tree\/master\/Recon\" target=\"_blank\" rel=\"noopener\">PowerView<\/a> to experiment with the generated LDAP queries.<\/p>\n<pre><code class=\"language-bash\">Get-DomainGroup \u201cDomain Admins\u201d<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-domain-admins-edit-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Looking at the ETW logs generated by the Microsoft-Windows-LDAP-Client provider we can see the following:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ldap-etw-trace-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Conclusion<\/h2>\n<p>In this first lab of the Discovery workshop we covered how an attacker could identify users of interest, both in terms of their importance within Active Directory, and in terms of opportunities to kerberoast and AS-REP roast. We used a new log source, Event Tracing for Windows, or ETW, to capture events generated by the LDAP queries we made.<\/p>\n<p>Performing some very superficial analysis of the Rubeus codebase, we could retrieve the LDAP filters we would expect it to use, and we\u2019ve observed those in the logs.<\/p>\n<p>The main takeaways from this first lab are:<\/p>\n<ul>\n<li>An introduction to the low-level ETW telemetry we can capture and hunt with.<\/li>\n<li>An introduction to several techniques used by threat actors for identifying targets and valuable users in a target environment.<\/li>\n<li>The value of basic open-source tool analysis for spotting opportunities for detection.<\/li>\n<\/ul>\n<p>Let&#x27;s see if we can discover some exposed file shares in the next lab <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/darkgate-rises\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/reverse-engineering-a-lumma-infection\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/machine-learning-driven-malware-analysis\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In the first lab of this workshop, we are once again going to make use of the Covenant framework. We will launch a basic executable launcher and, from there, explore some techniques for acquiring user credential material through kerberoasting and AS-REP roasting.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[310,352,344],"labs_content_type":[313],"class_list":["post-10566","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-identity-security","category-network-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Identity security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #1<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In the first lab of this workshop, we are once again going to make use of the Covenant framework. We will launch a basic executable launcher and, from there, explore some techniques for acquiring user credential material through kerberoasting and AS-REP roasting.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item\/10566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/media?parent=10566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/categories?post=10566"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/labs_content_type?post=10566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}