{"id":10560,"date":"2020-07-08T09:00:00","date_gmt":"2020-07-08T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/"},"modified":"2026-05-25T10:33:22","modified_gmt":"2026-05-25T09:33:22","slug":"attack-detection-fundamentals-discovery-and-lateral-movement-lab-2","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/","title":{"rendered":"Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #2"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; <span class=\"blue-text\">Lab #2<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Dfir                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Identity security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                08.07.2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Jaa t\u00e4m\u00e4                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_38a506b521e5c0141e85a4458aa234b0\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Sis\u00e4ll\u00f6n navigointi            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Valitse jakso                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the third part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts.<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a second step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/Pv8eHC1a_bc\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>Last <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/\" target=\"_blank\" rel=\"noopener\">time<\/a>, we explored the detection opportunities presented by attackers attempting to identify users of interest. We made use of Event Tracing for Windows (ETW) to log and scrutinize the LDAP queries that were generated when performing the initial query for kerberoastable and AS-REP roastable users, as well as when retrieving information about users and groups. We also did a basic review of some of the codebase for Rubeus to identify queries to hunt for.<\/p>\n<p>This time, we\u2019re going to take a look at another enumeration activity. This time, exposed file shares. In a large enterprise environment there are often file shares that are either intentionally or unintentionally exposed. Performing offensive engagements, we often find sensitive material in these file shares, including passwords, that can provide a simple path of privilege escalation. For this lab, we\u2019ll be making use of a simple C# tool, Dwight Hohnstein\u2019s <a href=\"https:\/\/github.com\/djhohnstein\/SharpShares\" target=\"_blank\" rel=\"noopener\">SharpShares<\/a>, to perform our initial enumeration. After that, we\u2019ll look at a particular file share of interest, SYSVOL, and identify a detection strategy for attacks searching for Group Policy Preference files which could contain credential <a href=\"https:\/\/adsecurity.org\/?p=2288\" target=\"_blank\" rel=\"noopener\">material<\/a>.<\/p>\n<p>As we did in the first lab, we\u2019ll be making use of the logs provided by the Microsoft-Windows-LDAP-Client ETW provider, but we\u2019ll also look at Windows Event Logs for evidence of suspicious activity. We\u2019ll be using Ruben Boonen\u2019s SilkService tool to capture our ETW events (again using the configuration shown below), and we\u2019ll use Roberto Rodriguez\u2019s HELK for doing some analysis, but as our SilkService configuration logs to the system Event Log, you can view the logs there if you choose.<\/p>\n<pre><code class=\"language-bash\">&lt;SilkServiceConfig&gt;\n&lt;!--\nMicrosoft-Windows-LDAP-Client ETW Provider\n--&gt;\n&lt;ETWCollector&gt;\n&lt;Guid&gt;859efb51-6985-480f-8094-77192b2a7407&lt;\/Guid&gt;\n&lt;CollectorType&gt;user&lt;\/CollectorType&gt;\n&lt;ProviderName&gt;099614a5-5dd7-4788-8bc9-e29f43db28fc&lt;\/ProviderName&gt;\n&lt;UserKeywords&gt;0x1&lt;\/UserKeywords&gt;&lt;!--Search--&gt;\n&lt;OutputType&gt;eventlog&lt;\/OutputType&gt;\n&lt;\/ETWCollector&gt;\n&lt;\/SilkServiceConfig&gt;<\/code><\/pre>\n<p>For this lab, we\u2019re also going to enable auditing of object access. We can do this in Group Policy at:<\/p>\n<pre><code class=\"language-bash\">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; Audit Policies &gt; Audit object access<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/audit-policy.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>There are options here to enable logging for successful file access attempts, as well as failures. For our lab, we\u2019ll capture both.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/audit-policy-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/fireeye\/SilkETW\" target=\"_blank\" rel=\"noopener\">SilkETW and SilkService<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/djhohnstein\/SharpShares\" target=\"_blank\" rel=\"noopener\">SharpShares<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/threat-hunters-forge\/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0\" target=\"_blank\" rel=\"noopener\">Threat Hunting with ETW Events and HELK<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-gb\/archive\/blogs\/ntdebugging\/part-1-etw-introduction-and-overview\" target=\"_blank\" rel=\"noopener\">Microsoft ETW Introduction and Overview<\/a><\/li>\n<\/ul>\n<p>DISCLAIMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Active Directory domain with at least one DC and workstation<\/li>\n<li>HELK (optional)<\/li>\n<li>SilkService<\/li>\n<li>Sysmon<\/li>\n<li>SharpShares<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 \u2013 Environment Setup<\/h3>\n<p>In a typical corporate environment, there are often many file shares that would be suitable candidates for pivoting through. For our testing lab though, we\u2019re going to need to create one.<\/p>\n<p>In our case, as we\u2019re only using a single domain controller and workstation, we\u2019re going to create our share on our DC. Create a folder (named \u201cc3\u201d in our case), right-click and select \u201cShare with -&gt; Specific People\u2026\u201d<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/share-folder2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>From here, we can see a list of existing users that have access &#8211; select \u201cEveryone\u201d. The name is relatively self-explanatory but for clarity, Microsoft refers to this built-in group as <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2003\/cc780850(v=ws.10\" target=\"_blank\" rel=\"noopener\">follows<\/a>?redirectedfrom=MSDN):<\/p>\n<p>On computers running Windows Server 2003 operating systems, Everyone includes Authenticated Users and Guest. On computers running earlier versions of the operating system, Everyone includes Authenticated Users and Guest plus Anonymous Logon.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/share-everyone.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We\u2019re then going to set the access of \u201cEveryone\u201d to Read\/Write.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/c3-shared.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>When that\u2019s done, we should be able to access the share by browsing to \\\\DC2\\c3 (or whatever the equivalent is in your lab setup) from the workstation host.<\/p>\n<h3>2 \u2013 Building and Executing SharpShares<\/h3>\n<p>Firstly, we\u2019re going to need to download and compile the SharpShares executable (we can do this on our \u2018attacker\u2019 host and copy the binary over to our \u2018target\u2019 host, or for the purposes of this lab, just compile it on the \u2018target\u2019). <a href=\"https:\/\/github.com\/djhohnstein\/SharpShares\/archive\/master.zip\" target=\"_blank\" rel=\"noopener\">Download<\/a> the project files and unzip them.<\/p>\n<p>Opening a PowerShell window in the SharpShares directory, we can use the in-built C# compiler, csc.exe, to build our executable:<\/p>\n<pre><code class=\"language-bash\">C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe \/out:SharpShares.exe .\\Program.cs<\/code><\/pre>\n<p>If it\u2019s succeeded, we should see the ShareShares.exe now present in the directory.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/build-sharpshares.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>On our domain-joined target host, execute SharpShares with the following argument:<\/p>\n<pre><code class=\"language-bash\">.\\Sharpshares.exe shares<\/code><\/pre>\n<p>Depending on the setup of your lab, you should see something similar to the following:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/share-enumeration.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We can see that we have access to several default Windows shares including C$ and ADMIN$, as well as some specific Active Directory shares, NETLOGON$ and SYSVOL$. Notably in this case, we can see that our DC2 domain controller host is also exposing an extra share, C3. We\u2019ll find a use for that in the next lab!<\/p>\n<h3>3 \u2013 SharpShares LDAP Queries<\/h3>\n<p>Now we\u2019ve discovered our exposed file shares, let\u2019s explore one way we could find evidence of us doing so. Let\u2019s see if we can use the same methodology we employed last time, reviewing some of the tool\u2019s codebase and seeing if there are any LDAP queries we could hunt for.<\/p>\n<p>You don\u2019t need to understand all the ins and outs of the code, but at a high level the flow is as follows:<\/p>\n<ul>\n<li>Get a list of the domain controllers in the domain &#8211; <a href=\"https:\/\/github.com\/djhohnstein\/SharpShares\/blob\/master\/Program.cs#L121\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/li>\n<li>Fetch the first of these and fetch all computer objects &#8211; <a href=\"https:\/\/github.com\/djhohnstein\/SharpShares\/blob\/master\/Program.cs#L175\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/li>\n<li>For each of these computers, query the available shares and attempt to read the contents of each of these shares &#8211; here.<\/li>\n<\/ul>\n<p>Let\u2019s look at that first step then. To retrieve our domain controllers we\u2019re using the functions provided by the &quot;System.DirectoryServices.ActiveDirectory&quot; namespace. We can see this from the directives at the top of the Program.cs file.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/sharpshares-eval-0.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now, unlike the Rubeus code we looked at last time, we\u2019re not constructing LDAP filters at this point. All the heavy lifting is being done by that GetCurrentDomain() method, followed by an enumeration of the DomainControllers <a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.directoryservices.activedirectory.domain.domaincontrollers?view=dotnet-plat-ext-3.1#System_DirectoryServices_ActiveDirectory_Domain_DomainControllers\" target=\"_blank\" rel=\"noopener\">property<\/a>.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-domain-controllers-code.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>At this point, we can cheat ever so slightly and work backwards from the LDAP queries we\u2019ve observed from our SharpShares process. One interesting candidate is shown below:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-domain-controllers.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The two fields on the far right of this Kibana entry correspond to the \u201cSearchFilter\u201d and \u201cAttributeList\u201d respectively. Effectively these mean \u201cwhat are we searching for?\u201d and \u201cwhat details do we want to know?\u201d. We\u2019ll see more of this shortly, but a simple example could be querying for all users, and only returning their user names, rather than all the other data about them held in AD.<\/p>\n<p>So, could this query be the result of that code block above?<\/p>\n<pre><code class=\"language-bash\">(|(&amp;(objectCategory=nTDSDSA)(hasMasterNCs=DC=uk,DC=mwr,DC=com))(&amp;(objectCategory=nTDSDSARO)(msDS-hasFullReplicaNCs=DC=uk,DC=mwr,DC=com))(objectCategory=ser<\/code><\/pre>\n<p>Without breaking this whole filter down to each element, for now let\u2019s just pull out that first one \u2013 \u201cobjectCategory=nTDSDSA\u201d. A quick look at Microsoft documentation tells us:<\/p>\n<p>On a DC, the nTDSDSA object represents the replication agent, which is responsible for processing the DRS Protocol. The GUID of this nTDSDSA object is invariant for the lifetime of the DC. The implementation MAY use this GUID value as an alternative identifier for the DC.<\/p>\n<p>Sounds like we might have found our Domain Controller LDAP query! As we\u2019ve done before, we can open Active Directory Users and Computers (ADUC) and perform a custom search with this query to confirm our suspicions.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-domain-controllers-ldap.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Ok, we now know the cause of that query, but it\u2019s reasonable to assume SharpShares isn\u2019t going to be the only thing making use of a default function for looking up DCs. Let\u2019s move onto the next step in the code \u2013 fetching the names of all computer objects.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-domain-computers-code.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now we\u2019re into familiar LDAP query building territory. It\u2019s a simple query this time:<\/p>\n<pre><code class=\"language-bash\">(objectClass=computer)<\/code><\/pre>\n<p>We mentioned the \u201cAttributeList\u201d field previously. Looking at this code block, we can see this is being used to retrieve only the \u201cname\u201d field of any computer objects. Turning to our ETW LDAP log, we can see this in action.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-domain-computers-ldap.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>4 &#8211; SharpShares File Share Access<\/h3>\n<p>Moving on to the last stage in the SharpShares program flow, we\u2019re looking for evidence of us attempting to access shares on each of the computers in the domain. Now, even in the simple lab environment we have setup here &#8211; with just a few shares present &#8211; looking through 5140 and 5145 event IDs\u2026 it\u2019s pretty clear something dodgy has taken place!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/helk-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The 5140 events are generated each time our user attempts to access a given <a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventID=5140\" target=\"_blank\" rel=\"noopener\">share<\/a>, while the 5145s are generated for every access attempt to a given share <a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventID=5145\" target=\"_blank\" rel=\"noopener\">object<\/a>.<\/p>\n<p>Notably in the above Kibana search, we can see all the \u201cAudit Failures\u201d in the \u201cKeywords\u201d field (second column from the right). Examples of successful and failed share access attempts can be seen below:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/share-enum-admin-share-fail.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/share-enum-admin-share-c3-success.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We can see from the LDAP queries and object access events that we have a few opportunities to detect this share enumeration.<\/p>\n<p>As an aside, when reviewing the percentage of LDAP queries recorded in the lab over a ten day period, 96% were generated by the svchost and lsass processes, the remaining 4% were from SharpShares and our Grunt implant. Of course, every environment is different, and this might not scale to a full enterprise environment but worth noting!<\/p>\n<p>Arguably the most incriminating telemetry is the comparatively large volume of file share access events and the number of distinct shares being accessed.<\/p>\n<p>While we can\u2019t really demonstrate it in our small lab setup, at an enterprise scale, we also have the high volume of new network connections (Sysmon Event ID 3) as we enumerate and connect to every computer object in the environment.<\/p>\n<p>Furthermore, while we won\u2019t touch on it too much here, from a network traffic perspective, capturing and inspecting the SharpShares network traffic using Wireshark, we can first see the traffic for initially requesting a list of shares.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/smb-traffic-in-wireshark2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Followed by our attempts to access each one, including details of the success and failure.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/smb-traffic-in-wireshark.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>5 \u2013 Group Policy Preference Files<\/h3>\n<p>At this point, we\u2019ve got a few methods for detecting the enumeration and access of file shares. As a final exercise for this lab, we can apply this to identify instances of suspicious access to Group Policy Preference files.<\/p>\n<p>Historically, Group Policy Preference (GPP) files provided administrators with an automated means of customising settings on domain-joined hosts. This included creating local users, setting scheduled tasks and changing local administrator passwords. Domain computers could then fetch these preference files and apply them.<\/p>\n<p>Where credentials were required to achieve the customisation, e.g. in the case of setting the new local administrator password, they could be embedded in the GPP files\u2019 \u201ccpassword\u201d field using reversible encryption. Microsoft released a patch (<a href=\"https:\/\/support.microsoft.com\/en-us\/help\/2962486\/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati\" target=\"_blank\" rel=\"noopener\">KB2962486<\/a>) to prevent the further storage of passwords in GPP files, and the key used for this encryption has since been made <a href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-gppref\/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN\" target=\"_blank\" rel=\"noopener\">public<\/a>.<\/p>\n<p>Notably, installation of that patch didn\u2019t remove pre-existing instances of the encrypted passwords and these had to be actively removed by administrators.<\/p>\n<p>So, cool story\u2026 what does it mean for us? The upshot of all of this is that there is the potential for passwords &#8211; potentially local administrator passwords (if a solution like <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\" target=\"_blank\" rel=\"noopener\">LAPS<\/a> isn\u2019t in place) \u2013 to be stored in a reversible format in SYSVOL files that, by design, any domain user or computer can access. Of course, this was patched years ago and we\u2019d never find instances of this now would we! \u00af\\_(\u30c4)_\/\u00af<\/p>\n<p>There are a number of tools that automate the discovery and decryption of GPP passwords, but for this exercise we\u2019re going super simple and using the findstr utility built-in to Windows, running the following command:<\/p>\n<pre><code class=\"language-bash\">findstr \/S \/I cpassword \\\\[FQDN]\\sysvol\\[FQDN]\\policies\\*.xml<\/code><\/pre>\n<p>The arguments are as <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/findstr\" target=\"_blank\" rel=\"noopener\">follows<\/a>:<\/p>\n<ul>\n<li>\/S \u2013 searches the current directory and all subdirectories.<\/li>\n<li>\/I &#8211; Ignores the case of the characters when searching for the string.<\/li>\n<li>cpassword \u2013 the string we\u2019re looking for<\/li>\n<li>\\\\[FQDN]\\sysvol\\[FQDN]\\policies\\*.xml \u2013 the SYSVOL folder for our target domain.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/gpp-findstr.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If we filter for our 5145 events as before, we can see multiple entries, as our findstr command enumerates through the policies folder looking for instances of \u201ccpassword\u201d.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/sysvol-gpp.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Of course, as we mentioned above, these policy files are accessed by other hosts on the network by design. Evidence of this access alone is hardly a smoking gun; but we can refine this search!<\/p>\n<p>GPP files, specifically those containing machine customisations (like our local administrator password changes), are intended to be accessed and utilised by Active Directory computer accounts. Computer accounts in AD are denoted by their \u201c$\u201d suffix, so we can filter our search based on this. As Samir Bousseaden <a href=\"https:\/\/twitter.com\/SBousseaden\/status\/1187270127131250688\" target=\"_blank\" rel=\"noopener\">notes<\/a>, a query similar to the following can give us what we need:<\/p>\n<pre><code class=\"language-bash\">event.code: 5145 AND share_name:\\\\*\\sysvol AND share_relative_target_name:*\\policies\\*\\Machine\\* AND NOT user_name:*$<\/code><\/pre>\n<h2>Conclusion<\/h2>\n<p>In this second lab of the Discovery workshop we covered how an attacker could enumerate exposed file shares, as well as exploring opportunities to detect this. As in previous labs, we reviewed some of the tool\u2019s codebase to inform our detection. Using our LDAP ETW log again, we also explored the actionable logs produced with enhanced auditing of object access. This allowed us to develop a detection for an attacker enumerating Group Policy Preference files in the hopes of finding some passwords!<\/p>\n<p>Of course, there are limitations to the detections we\u2019ve explored. Share enumeration performed \u2018low and slow\u2019 could easily blend into typical corporate traffic, and legitimate network scanning or auditing tools could easily exhibit the same behaviours.<\/p>\n<p>The main takeaways from this second lab are:<\/p>\n<ul>\n<li>An introduction to two techniques used for enumerating file shares and their contents.<\/li>\n<li>The value of object access logs for detecting these activities.<\/li>\n<li>Leveraging an understanding of expected GPP file access to fine-tune our search for suspicious activity.<\/li>\n<\/ul>\n<p>Now\u2026 about that C3 <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/\" target=\"_blank\" rel=\"noopener\">share<\/a>!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/darkgate-rises\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/reverse-engineering-a-lumma-infection\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/machine-learning-driven-malware-analysis\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In the third part of WithSecure Consulting&#8217;s Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[302,334,350],"labs_content_type":[305],"class_list":["post-10560","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-dfir","category-identity-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Dfir<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Identity security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #2<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In the third part of WithSecure Consulting&#039;s Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10560"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}