Simulated Initial Access: Macros, LNK and ISO in an Isolated Windows 11 Lab

Anyone working red team knows initial access is still the most stubborn chapter of the playbook. Office macros were declared dead in 2022 when Microsoft blocked VBA by default on internet files, and yet, throughout 2025, Mandiant kept mapping Storm-0978 campaigns delivering .docm via HTML smuggling. We built a lab on Windows 11 23H2 with Defender for Endpoint in audit mode and Sysmon 15 using the SwiftOnSecurity config to replay three vectors: a classic VBA macro, an LNK with obfuscated arguments, and an ISO carrying LNK plus a side-loaded DLL. Everything offline, in an isolated VLAN, snapshot before every run. The goal was never to break the EDR, it was to understand what it actually records.

First test, the macro. We crafted a .docm with AutoOpen calling WScript.Shell to fetch a payload via certutil. With Mark-of-the-Web intact, Defender blocked it before the prompt. Strip MOTW with a cleared Alternate Data Stream (powershell -Command "Clear-Content -Stream Zone.Identifier") and the macro fired. In Sysmon EventID 1 we saw winword.exe spawning cmd.exe with the full command line, and EventID 3 with the outbound connection on port 80. That maps cleanly to the Sigma rule proc_creation_win_office_susp_child_processes that most teams already own. To understand the full defensive pipeline it is worth revisiting Threat Hunting with Sigma and Elastic: From Indicator to Detection Rule and crossing it with Hunting Living-off-the-Land Binaries on Windows with KQL, because the issue is rarely that the rule does not exist, it is that nobody enabled it in production.

Vector two: LNK. We built a shortcut whose target pointed at powershell.exe -nop -w hidden -enc , with the icon lifted from a legit PDF. The LNK rides inside a .zip pulled through the browser. Here it gets interesting: SmartScreen weighs the reputation of the binary being called, not the LNK itself. PowerShell.exe has flawless reputation, so it sailed through. What caught it was AMSI inspecting the decoded script in memory, raising EventID 4104 from PowerShell ScriptBlockLogging. Without ScriptBlockLogging enabled (still the default in many estates), the vector goes silent. Anyone wanting the offensive flip side should read AMSI and ETW Bypass for Defensive Research: What Blue Teams Should Know carefully, and defenders need the baseline described in Windows 11 Hardening for High-Risk Offensive Security Workstations.

Vector three was the most successful at looking benign: an ISO containing an LNK plus a legitimate DLL vulnerable to side-loading. We attached the ISO using Windows 11 Explorer's auto-mount default. The user sees just a "PDF" that is in fact the LNK invoking a renamed copy of OneDriveStandaloneUpdater.exe, which loads our version.dll from the same directory. Because a Microsoft-signed binary is the one calling LoadLibrary, Sysmon EventID 7 (Image loaded) shows our unsigned DLL while the parent process looks legitimate. Defender stayed quiet. We had to flip on the ASR rule Block untrusted unsigned processes that run from USB and extend it to mounted images, which Adversary Emulation with Caldera and MITRE ATT&CK in a Corporate Lab also walks through.

Looking at the three tests side by side, detection depends on configuration far more than on product choice. Sysmon without a curated schema, PowerShell without ScriptBlockLogging, ASR forever in audit, MOTW dropped by older 7zip builds. Each of those flips a visible vector into a blind one. Worth remembering that none of this is new, all three behaviors are already cataloged as T1566.001, T1204.002, and T1574.002 in MITRE ATT&CK, and have been for years. Teams that have not yet wired the loop described in Purple Team in Practice: Building a Red vs Blue Feedback Loop will keep rediscovering the same gaps instead of closing them once.

We also ran the full chain by standing up a minimal C2 just to validate callback, on a separate VLAN so the simulation traffic never mingled with management traffic. The operational details of that piece live in Building C2 Infra with Sliver in an Isolated Lab for Defensive Research, which we already documented. The important point is that initial access does not end at execution, it ends at a stable beacon; every hop after that has its own detection window. If you only watch Sysmon EventID 1 and never correlate against DNS, TLS JA3 fingerprints, and egress flows, you lose half the story.

Practical takeaway: do not burn a sprint rewriting macro obfuscation if your team has not yet enabled ScriptBlockLogging, deployed a curated Sysmon config, and moved ASR out of audit. Replay the three vectors in this post inside an isolated, snapshotted lab with no path to production, and produce the evidence of which EventID fires at which stage. Document the gap. Only then does it make sense to push into noisier techniques like direct syscalls, which we cover in EDR Evasion for Research: Direct Syscalls Explained Without the Hype. An expensive tool without decent configuration remains a pretty dashboard while the adversary strolls across the empty lot next door.