{"id":7908,"date":"2020-07-08T09:00:00","date_gmt":"2020-07-08T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=7908"},"modified":"2026-05-22T12:54:05","modified_gmt":"2026-05-22T11:54:05","slug":"attack-detection-fundamentals-discovery-and-lateral-movement-lab-3","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/","title":{"rendered":"Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #3"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; <span class=\"blue-text\">Lab #3<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                08 July, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_251fc216e8c7e228cdc2a3314884fd3a\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the third part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts.<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a third step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/Pv8eHC1a_bc\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the previous <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/\" target=\"_blank\" rel=\"noopener\">two<\/a> <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/\" target=\"_blank\" rel=\"noopener\">labs<\/a>, we\u2019ve looked at suspicious LDAP queries using telemetry from ETW and looked at ways we can put object access logs to work to detect enumeration of file shares. We\u2019ve focused on Discovery so far, but now we\u2019re going to look at a means for lateral movement by pivoting through the aptly named \u201cc3\u201d file share we found last time. Admittedly this isn\u2019t a common technique when compared to techniques such as PsExec or WMI, but it\u2019s a good segway into our lateral movement exercises, highlights another application of our 5145 events and hey, it should make for a fun lab!<\/p>\n<p>In our lab environment, things are pretty \u2018flat\u2019 from a networking perspective, with all our hosts able to talk to each other. In more segregated environments though, file shares can often be exposed to hosts that otherwise would have no means of communicating, and this is where tools like C3 can be useful.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/network-architecture.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We\u2019re going to use C3 for this lab, and explore a few strategies for detection. Firstly, we\u2019ll look at the file share access logs as before, to see what traces we observe. After that we\u2019ll make use of a new ETW provider, Windows Kernel Trace, and see if we can spot our Grunt being launched in-memory. We\u2019ve talked about ETW and Ruben\u2019s SilkService tool before, so we won\u2019t cover that again. Here\u2019s the SilkService config XML we\u2019ll use this time:<\/p>\n<pre><code class=\"language-bash\">&lt;SilkServiceConfig&gt;\n    &lt;ETWCollector&gt;\n              &lt;Guid&gt;870b50e1-04c2-43e4-82ac-817444a56364&lt;\/Guid&gt;\n              &lt;CollectorType&gt;kernel&lt;\/CollectorType&gt;\n              &lt;KernelKeywords&gt;ImageLoad&lt;\/KernelKeywords&gt;\n              &lt;FilterValue&gt;Image\/Load&lt;\/FilterValue&gt;\n              &lt;OutputType&gt;eventlog&lt;\/OutputType&gt;\n    &lt;\/ETWCollector&gt;\n&lt;\/SilkServiceConfig&gt;<\/code><\/pre>\n<p>Our \u201cFilterValue\u201d in this case ensuring that we only log \u201cImage Load\u201d (and unload) events.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/fireeye\/SilkETW\" target=\"_blank\" rel=\"noopener\">SilkETW and SilkService<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/cobbr\/Covenant\" target=\"_blank\" rel=\"noopener\">Covenant<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/threat-hunters-forge\/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0\" target=\"_blank\" rel=\"noopener\">Threat Hunting with ETW and HELK<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-gb\/archive\/blogs\/ntdebugging\/part-1-etw-introduction-and-overview\" target=\"_blank\" rel=\"noopener\">Microsoft ETW Introduction and Overview<\/a><\/li>\n<li><a href=\"https:\/\/labs.withsecure.com\/tools\/c3\/\" target=\"_blank\" rel=\"noopener\">C3 &#8211; Walkthrough<\/a><\/li>\n<li><a href=\"https:\/\/labs.withsecure.com\/blog\/hunting-for-c3\/\" target=\"_blank\" rel=\"noopener\">Countercept&amp;#x27;s Hunting for C3<\/a><\/li>\n<\/ul>\n<p>DISCLAIMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Active Directory domain with at least one DC and workstation<\/li>\n<li>HELK (optional)<\/li>\n<li>SilkService<\/li>\n<li>C3<\/li>\n<li>Covenant<\/li>\n<li>Process Hacker<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 \u2013 Environment Setup<\/h3>\n<p>In the previous lab, we used SharpShares to identify the \u201cc3\u201d file share that we configured on our DC2 host.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/share-enumeration2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now, as this share was configured to give \u201cEveryone\u201d \u201cRead\/Write\u201d permissions, it\u2019s (conveniently) a prime candidate for pivoting, as multiple compromised users can read and write messages to it.<\/p>\n<h3>2 \u2013 C3 and Covenant<\/h3>\n<p>We won\u2019t cover the initial setup of C3 as there are already comprehensive <a href=\"https:\/\/labs.withsecure.com\/tools\/c3\/\" target=\"_blank\" rel=\"noopener\">blogs<\/a> on the topic. But, we\u2019ll briefly cover the integration of C3 with Covenant so we can launch and communicate with Grunts through our file share (more operational details can be found <a href=\"https:\/\/github.com\/FSecureLABS\/C3\/blob\/master\/Res\/CovenantUsage.md\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<p>For the purposes of this lab, we\u2019re running both the Covenant C2 server and C3 on the same host. With Covenant already running, launch a C3 gateway and run the \u201cTurnOnConnectorCovenant\u201d command. You can see from the below, we\u2019re using a local 127.0.0.1 address in the \u201cCovenant Web Host\u201d field, and we\u2019re entering the super secure \u201cadmin:admin\u201d credentials we initial set for our Covenant server.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-2-5.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If the command succeeds we should see a notification in Covenant and \u201cC3Bridge\u201d added to our available listeners.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-2-6-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The C3 UI should also display the connection as below.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/covenant-added-to-c3.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>NOTE: In a real-life scenario, we would have already obtained an initial foothold on a host and would be using our file share pivot to move further into the network. For this lab though, we\u2019re going to simplify things slightly and have our attacker host (i.e. the one running Covenant and C3) talk directly to the exposed file share. To achieve this, we\u2019re going to need to first establish access to the file share on our Windows attacker host. In an Explorer window, browse to the UNC path of our share, e.g. \\\\DC2\\c3. Enter some domain user credentials and ensure that you have access from the attacker host.<\/p>\n<p>With access confirmed, we can create a Negotiation channel in C3 (descriptions of channel types available can be found on the C3 <a href=\"https:\/\/labs.withsecure.com\/tools\/c3\/\" target=\"_blank\" rel=\"noopener\">blog<\/a>). Select the \u201cAddNegotiationChannelUNCShareFile\u201d command, leave the \u201cNegotiation Identifier\u201d as the default value, and enter the UNC path to our \u201cc3\u201d share.<\/p>\n<p>There\u2019s two things to note here. Firstly, our path is using an IP address not a hostname. This is specific to our lab environment in which our attacker host cannot communicate with the target environment DNS servers to resolve any names. In a real scenario, a hostname would be fine here. Secondly, we\u2019re specifying a \u201ctesting\u201d folder in our path. This is just an arbitrary-named folder within the \u201cc3\u201d share that we\u2019re going to have our messages written to.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-4.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If all goes well here, we can observe the \u201ctesting\u201d folder created in the \u201cc3\u201d share.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-5.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now, we\u2019re ready to create a Relay. Like the Beacons, Grunts, Zombies etc. that we\u2019ve seen before, Relay is C3\u2019s implant.<\/p>\n<p>Select the channel in C3 (the eye icon), click \u201cNew Relay\u201d from the \u201cInterface Options\u201d drop-down in the top right.<\/p>\n<p>You\u2019ll notice that the bottom half of the window is prepopulated with our UNC channel details. All we need to do here is specify the name for the Relay and the output format and architecture we want. For our purposes, we can stick with the default 64-bit executable option. Click \u201cCreate and Download Relay\u201d and move the downloaded executable to our workstation host.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-6.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>At this point, we have our C3 gateway setup, it\u2019s connected to our Covenant server, and it\u2019s established a means of communicating through our UNC file share. If we now launch the Relay executable on our workstation, we should see the C3 graph update to include the foothold we\u2019ve just obtained!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-7.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>So now, all the communication between our target workstation and the attacker host is being sent through our exposed file share.<\/p>\n<p>That\u2019s cool in itself I think &#8211; but C3\u2019s focus is, as it\u2019s name suggests, on command and control. We\u2019re going to need to utilise additional tooling to capitalise on the foothold we\u2019ve obtained. This is where Covenant steps in. With the setup we completed previously, we can now add what C3 terms a \u201cPeripheral\u201d to the Relay. Click the UNC relay and select the \u201cAddPeripheralGrunt\u201d option from the command list. For this lab, all the displayed options can remain default.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-8.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If we return to the Covenant dashboard, we should see a Grunt check in!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-9.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>You\u2019ll notice here that the \u201cImplantTemplate\u201d is displayed as GruntSMB. This gives us a clue as to what has happened under the hood. The C3 blog covers much of this, but at a high-level, when we selected the \u201cAddPeripheralGrunt\u201d command, we made an API request to Covenant to return us a Grunt that communicates over a pipe with a specified name (\u201cwv8v\u201d in the above screenshot). The Grunt shellcode is then injected into the Relay process (at the time of writing, this is a CreateThread API request, much like we saw in our SharpShooter example in the very <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-4\/\" target=\"_blank\" rel=\"noopener\">first<\/a> <a href=\"https:\/\/vimeo.com\/432427630\/572a041b90\" target=\"_blank\" rel=\"noopener\">workshop<\/a>!). The Relay can then communicate over this named pipe to the Grunt to allow us to interact with it (you can see the code for this <a href=\"https:\/\/github.com\/FSecureLABS\/C3\/blob\/master\/Src\/Common\/FSecure\/C3\/Interfaces\/Peripherals\/Grunt.cpp#L209\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/github.com\/FSecureLABS\/C3\/blob\/master\/Src\/Common\/FSecure\/C3\/Interfaces\/Peripherals\/Grunt.cpp#L227\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<p>From here, we can execute tasks with the Grunt, just as we\u2019ve done previously!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-10.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>3 \u2013 File Share Auditing<\/h3>\n<p>So, we\u2019ve established a means of pivoting between hosts using our file share, and we\u2019ve used this access to deploy a Grunt to our target host. In terms of detection opportunities, let\u2019s first see what we can observe with the object access logs we\u2019ve used previously. Filtering for 5145s on our file share, we can see the following:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/create-share-11-again.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The first thing to note is the file naming convention we observe in the \u201cShareRelativeTargetName\u201d field of our 5145s. We can see the use of randomised file names and \u201c.lock\u201d files, potentially signifying that the equivalent file without the \u201c.lock\u201d suffix is still being written to. If we check out the UNC channel <a href=\"https:\/\/github.com\/FSecureLABS\/C3\/blob\/master\/Src\/Common\/FSecure\/C3\/Interfaces\/Channels\/UncShareFile.cpp#L68\" target=\"_blank\" rel=\"noopener\">code<\/a>, we can see that our hypothesis is correct:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/c3-code-base.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We can also get some idea of the flow of communication flow if we turn our attention to the \u201cObjectAccessMaskRequested\u201d field. Two notable masks are below (we can see details of these from Microsoft <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/event-5145#table-of-file-access-codes\" target=\"_blank\" rel=\"noopener\">here<\/a>):<\/p>\n<ul>\n<li>0x2<\/li>\n<li>0x100081<\/li>\n<\/ul>\n<p>The first of these is a WriteData or AddFile mask, relatively self-explanatory. The latter is an aggregation of a few masks, namely:<\/p>\n<ul>\n<li>0x100000 &#8211; SYNCHRONIZE \u2013 This gives us the ability to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.<\/li>\n<li>0x80 \u2013 ReadAttributes.<\/li>\n<li>0x1 \u2013 ReadData or ListDirectory.<\/li>\n<\/ul>\n<p>There\u2019s also a 0x110080 mask which includes a DELETE mask \u2013 so our C3 channel can tidy up after itself!<\/p>\n<p>Reading through this, it should become clear that we\u2019re looking at something resembling the send and receive components of the channel.<\/p>\n<p>Knowing this is a effectively a command and control channel, we can make the assumption that we\u2019ll see a fairly regular polling of our file share with the 0x100081 access mask (on both sides), as both the C3 Gateway and the Relay await something to do.<\/p>\n<p>To better articulate this, in the screenshot below, you can see that we\u2019ve filtered our traffic to just one side of the conversation. The source IP is set to our attacker host.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/polling-highlighted.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now it\u2019s probably pertinent to mention that everything we\u2019re observing here is entirely configurable. From our \u201c.lock\u201d file extension to the polling frequency, we could customise these as an attacker. Nevertheless, using the default settings, we can see our Gateway polling reliable almost exactly every 10 seconds.<\/p>\n<p>Let\u2019s see if we can now identify our Grunt implant being sent to the Relay.<\/p>\n<p>The first thing to mention is that C3 both encrypts and chunks the data it sends between components. So while we\u2019re essentially writing the Grunt to disk for our Relay to read from, as a defender we\u2019re not going to get an AV hit or IDS signature firing based on the Grunt implant on disk nor or on the wire.<\/p>\n<p>What we can do however, is observe the 5145s generated by our Gateway, with the 0x2 access mask we\u2019ve already spoken about.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/polling2-highlighted.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If you check back at your Covenant logs, that spike should correlate with the time we requested our Grunt to be added in C3. In this instance, there\u2019s not too much we can do to assert that this is definitely malicious, but it\u2019s worth noting.<\/p>\n<h3>4 \u2013 Anomalous CLR Loading<\/h3>\n<p>We know that Covenant\u2019s implants, Grunts, make use of .NET. So, what might give us an opportunity to join the dots here is to look at the .NET assemblies that have been loaded into our Relay process. Now, of course, our \u201cRelay\u201c named exe isn\u2019t exactly elite opsec. But if we put that aside for now\u2026<\/p>\n<p>As a simple exercise to get us started, launch a second instance of our C3 relay on the same target workstation host. Just as before, you should see the C3 graph update with a second relay.<\/p>\n<p>Now with Process Hacker, identify the two instances of the Relay in the process tree and view their properties side-by-side. You should immediately notice that our Grunt-loaded Relay has tabs for .NET that are absent from the new Relay we just launched.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/app-domains-post-grunt2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>So, any process that has .NET assemblies loaded is malicious? Try the same exercise with a newly-launched PowerShell process. Yeah, not quite!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/powershell-clr.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>What we\u2019re observing here, in the case of PowerShell anyway, is entirely legitimate behaviour. Without going into the depths of .NET, CIL and the CLR \u2013 there are many great posts on this already including <a href=\"https:\/\/blog.f-secure.com\/detecting-malicious-use-of-net-part-1\/\" target=\"_blank\" rel=\"noopener\">here<\/a>, <a href=\"https:\/\/www.mdsec.co.uk\/2020\/03\/hiding-your-net-etw\/\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2019\/03\/silketw-because-free-telemetry-is-free.html\" target=\"_blank\" rel=\"noopener\">here<\/a> \u2013 the upshot is that we will only see the CLR loaded into our process memory when .NET assemblies are being executed.<\/p>\n<p>If we turn to our ETW logs from the Windows Kernel Trace provider, and search for \u201cImage\/Load\u201d events performed by our \u201cRelay\u201d process (filtering for those that have file paths contain \u201c.NET\u201d or \u201cmscor\u201d), we get the following:<\/p>\n<p>Here we can see the required CLR DLLs being loaded into our process, including the \u201cclr.dll\u201d which is the main DLL in .NET 4.0 <a href=\"https:\/\/www.contextis.com\/en\/blog\/common-language-runtime-hook-for-persistence\" target=\"_blank\" rel=\"noopener\">onwards<\/a>.<\/p>\n<p>Now, we could go much deeper here with regards to inspecting the actual assemblies that are running &#8211; we\u2019ve only looked at the CLR itself being loaded here, not what .NET we\u2019re actually running. We could look at the randomized assembly naming convention we see from our Grunt, we could look at identifying those assemblies that are not backed by files on disk. Of course, from an offensive perspective we could then look at subverting all of the above with some defence evasion <a href=\"https:\/\/www.mdsec.co.uk\/2020\/06\/detecting-and-advancing-in-memory-net-tradecraft\/\" target=\"_blank\" rel=\"noopener\">techniques<\/a>.<\/p>\n<p>For now though, let\u2019s keep it simple &#8211; we could employ a detection strategy whereby we identify instances where the CLR is loaded into processes that don\u2019t typically load it.<\/p>\n<p>Consider if we attempted to replay this lab, except we used a payload launcher that injected our Relay &#8211; and subsequently our Grunt &#8211; into an Explorer process (in an attempt to mask our UNC file share access as legitimate), or a browser process (if we were trying to do the same but with external C2 web traffic). Launching these applications in Process Hacker, we can see that they don\u2019t launch the CLR in normal operation and if they suddenly decided to do so, we\u2019d have cause to investigate.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this third lab of the Discovery and Lateral Movement workshop we covered how an attacker could make use of an exposed file share to pivot their traffic between hosts. We used our object access telemetry to identify suspicious access and made use of a new ETW provider, Windows Kernel Trace, to develop a detection strategy for suspicious use of .NET.<\/p>\n<p>The main takeaways from this third lab are:<\/p>\n<ul>\n<li>An overview of a more esoteric lateral movement technique.<\/li>\n<li>A simple example for identifying beaconing behaviour against our file share.<\/li>\n<li>Use of a second ETW provider for identifying module loading.<\/li>\n<li>An introduction to detecting suspicious .NET usage.<\/li>\n<\/ul>\n<p>Let&#x27;s continue with Lateral Movement and take a look at PsExec <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/\" target=\"_blank\" rel=\"noopener\">next<\/a>!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve focused on Discovery so far, but now we\u2019re going to look at a means for lateral movement by pivoting through the aptly named \u201cc3\u201d file share we found last time. Admittedly this isn\u2019t a common technique when compared to techniques such as PsExec or WMI, but it\u2019s a good segway into our lateral movement exercises, highlights another application of our 5145 events and hey, it should make for a fun lab!<\/p>\n","protected":false},"author":3,"featured_media":8859,"template":"","categories":[240,239,237],"labs_content_type":[299],"class_list":["post-7908","lab_item","type-lab_item","status-publish","has-post-thumbnail","hentry","category-attack-detection","category-endpoint-security","category-network-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2.jpg 1200w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-300x200.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-1024x683.jpg 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-768x512.jpg 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-447x298.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_research2-219x146.jpg 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #3<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">We\u2019ve focused on Discovery so far, but now we\u2019re going to look at a means for lateral movement by pivoting through the aptly named \u201cc3\u201d file share we found last time. Admittedly this isn\u2019t a common technique when compared to techniques such as PsExec or WMI, but it\u2019s a good segway into our lateral movement exercises, highlights another application of our 5145 events and hey, it should make for a fun lab!<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/7908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/8859"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=7908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=7908"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=7908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}