{"id":598,"date":"2025-02-13T20:42:58","date_gmt":"2025-02-13T20:42:58","guid":{"rendered":"http:\/\/thetrueartist.co.uk\/?p=598"},"modified":"2025-02-24T13:42:44","modified_gmt":"2025-02-24T13:42:44","slug":"a-simple-yet-effective-windows-defender-bypass-other-av-engines-too","status":"publish","type":"post","link":"http:\/\/thetrueartist.co.uk\/index.php\/2025\/02\/13\/a-simple-yet-effective-windows-defender-bypass-other-av-engines-too\/","title":{"rendered":"A Simple Yet Effective Windows Defender Bypass (Other AV Engines Too!)"},"content":{"rendered":"\n<p>Recently when researching different tactics threat actors use to bypass AV (Anti-Virus) engines I discovered this very simple yet effective &#8220;bypass&#8221;.<\/p>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>After learning how to build a relatively basic C++ ransomware I was wondering which techniques are likely to succeed in bypassing anti viruses.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1079\" height=\"982\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image.png\" alt=\"\" class=\"wp-image-601\"\/><figcaption class=\"wp-element-caption\">library prep snippet before XOR encoding strings &amp; dynamic API allocation\/obfuscation<\/figcaption><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>After building out tools like the usual XOR string encoders, dynamic API allocation at runtime and sandbox detection etc for the ransomware &#8230; I was wondering if there is a way to completely get around anti virus engines noticing that the users files are being encrypted.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1353\" height=\"1004\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-1.png\" alt=\"\" class=\"wp-image-602\"\/><figcaption class=\"wp-element-caption\">library prep snippet with XOR encoding strings &amp; dynamic API allocation\/obfuscation<\/figcaption><\/figure>\n\n\n\n<p>The issue with bypassing AVs with ransomware is that even if you get around static detection, or even dynamic detection for a while, a decent AV or EDR solution should always spot that the users files are being encrypted and renamed at light speed. While many AV Engines that I have tested crumble alone with simple XOR encoding and dynamic API calls, many are decent enough to catch them encrypting files at runtime, or even when AP.<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Bypassing Defender<\/h2>\n\n\n\n<p>To successfully bypass Defender and other AVs I discovered a technique that completely evades modern engines.<\/p>\n\n\n\n<p>It exploits safemode to do this. <\/p>\n\n\n\n<div style=\"height:57px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">What is safemode?<\/h3>\n\n\n\n<p>Safemode is a diagnostic tool that only loads critical drivers and services that run Windows. It is normally used to help troubleshoot issues by running the system with minimal functionality, in an attempt to make it easier to troubleshoot problems with software, drivers or, ironically, even malware.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>With safemode in its most minimal of configurations Microsoft Defender or similar AVs\/EDRs will not run.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>With this idea I was set on making a packer that could exploit this vulnerability.<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Custom Packer<\/h2>\n\n\n\n<p>This packer that exploits safemode is mostly like any other, it encrypts the executable file until detonation. However where this one differs is in its stages and how it unpacks, as well how it uses safemode.<\/p>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Upon detonating it elevates itself to admin before saving itself to C:\\Windows\\System32\\smploader.exe, it sets itself to execute at user logon with a Userinit registry key, as well as registering it as a service that runs in safemode.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"626\" height=\"225\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-3.png\" alt=\"\" class=\"wp-image-615\"\/><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><br>It then checks to see if the machine is in safemode using different environment variables and registry keys, both at initial runtime and after reboot.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1028\" height=\"734\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-2.png\" alt=\"\" class=\"wp-image-614\"\/><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>If it is not in safemode it attempts to restart into minimal safemode and sets the smploader.exe to run once with the &#8211;safemode parameter.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1039\" height=\"239\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-6.png\" alt=\"\" class=\"wp-image-619\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"746\" height=\"206\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-4.png\" alt=\"\" class=\"wp-image-616\"\/><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>It has protections so that it isnt in a perma boot-loop.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1131\" height=\"369\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-5.png\" alt=\"\" class=\"wp-image-618\"\/><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>To attempt to look realistic it uses the winAPI &#8220;InitiateSystemShutdownExA&#8221; with a custom message:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"869\" height=\"341\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-8.png\" alt=\"\" class=\"wp-image-621\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1446\" height=\"592\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-7.png\" alt=\"\" class=\"wp-image-620\"\/><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>From there it reboots into minimal safemode, it then automatically launches (in this case) from C:\\Windows\\System32\\smploader.exe &#8211;safemode.<\/p>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>It then verifies that it is in safemode before unpacking.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1060\" height=\"655\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-9.png\" alt=\"\" class=\"wp-image-623\"\/><\/figure>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>From there it can basically do anything, as there is no AV\/EDR, and you do not even need UAC permission to execute binaries as admin.<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Application for Ransomware\/Malware<\/h2>\n\n\n\n<p>With this being said, this bypass is pretty perfect for ransomware, as there is no threat of AV&#8217;s being able to stop it once it has been unpacked in safemode. With even Microsoft Defender implementing &#8220;Controlled folder access&#8221; it is getting harder to successfully execute ransomware, with this bypass as long as the packer is properly obfuscated and it is not detected before it reboots into safemode, then the ransomware payload has a 100% chance of working with Windows systems supporting safemode.<\/p>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>There are some small caveats:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need to elevate to admin after runtime<\/li>\n\n\n\n<li>For a &#8220;real&#8221; threat actor&#8217;s ransomware you would need to get the private and public keys for encryption\/decryption before unpacking in safemode<\/li>\n\n\n\n<li>And for other types of malware (infostealers for example) that need internet access, you would need to have your internet enabled features either before or after entering minimal safemode <\/li>\n<\/ul>\n\n\n\n<p>These caveats are quite minor in my opinion, especially for infostealers, as after unpacking you could easily write exclusions for your binaries in safemode, gather credentials, then when rebooting into windows normally you could easily exfiltrate credentials. For ransomware it is a bit more complicated with the encryption and decryption keys, but it is still very doable.<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Showcase<\/h2>\n\n\n\n<p>This is a showcase of the bypass working, it is in a time lapse in parts as I have implemented extremely long sleeps between stages of its execution:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Custom Ransomware Bypasses Windows Defender Using Safemode Packer\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/iV0SLdlw-hk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Real World Testing<\/h2>\n\n\n\n<p>To verify how effective this AV bypass is, I tested it with many of the top anti-virus engines. This could be seen as a real world AV review with decently capable fresh malware, depending on the quality of my programing :p<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Tests<\/h3>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h5 class=\"wp-block-heading\">Here is how I&#8217;ve tested and what I mean by &#8220;success&#8221; or &#8220;fail&#8221;:<\/h5>\n\n\n\n<p><strong>Bypass Rate:<br>success = ransomware was able to run (and actually ransom files)<br>fail = ransomware was not able to run (it was blocked)<\/strong><\/p>\n\n\n\n<p>Additionally all fails (apart from Zone Alarm and Kaspersky) were at runtime. All AV engines were set to their maximum levels of protection. In case anyone is wondering, I haven&#8217;t tested AVs like ClamAV or Malwarebytes free, as they are not good at, or can&#8217;t, detect malware at runtime.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Antivirus<\/strong><\/td><td><strong>QuagRanObfuscated<\/strong><\/td><td><strong>QuagRanObfuscatedBasicPacked<\/strong><\/td><td><strong>QuagRanObfuscatedSafemodePacked<\/strong><\/td><\/tr><tr><td>Microsoft Defender<\/td><td>success<\/td><td>fail<\/td><td>success<\/td><\/tr><tr><td>Bitdefender Free<\/td><td>fail<\/td><td>fail <\/td><td>fail<\/td><\/tr><tr><td>Kaspersky Free<\/td><td>fail <\/td><td>fail<\/td><td>fail<\/td><\/tr><tr><td>Avast\/AVG Free<\/td><td>success<\/td><td>fail<\/td><td>fail<\/td><\/tr><tr><td>Sophos Home Free<\/td><td>fail<\/td><td>fail<\/td><td>success<\/td><\/tr><tr><td>ESET NOD32 Free<\/td><td>fail<\/td><td>fail<\/td><td>success<\/td><\/tr><tr><td>Zone Alarm Free<\/td><td>success<\/td><td>success<\/td><td>fail<\/td><\/tr><tr><td>Panda AV Free<\/td><td>success<\/td><td>success<\/td><td>success<\/td><\/tr><tr><td>Tencent PC Manager<\/td><td>success<\/td><td>success<\/td><td>success<\/td><\/tr><tr><td>Trend Micro: Max Sec<\/td><td>fail<\/td><td>fail<\/td><td>fail<\/td><\/tr><tr><td>Avira Free<\/td><td>fail<\/td><td>fail<\/td><td>fail<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>I&#8217;ve tried not to cherry pick AV vendors, and I feel like this is a pretty fair list when looking at their performance, although I myself have not heard of a couple of them.<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Tencent PC Manager was a funny experience, it has an insane amount of bloat, trying to translate the Chinese to English was fun. I&#8217;ve included it as China is a big market, although I have no idea how popular this AV suite is.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"959\" height=\"609\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-11.png\" alt=\"\" class=\"wp-image-645\" style=\"width:524px;height:auto\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1170\" height=\"1065\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-12.png\" alt=\"\" class=\"wp-image-647\" style=\"width:525px;height:auto\"\/><\/figure>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Like many AVs I&#8217;ve tested, it detected the basic samples after a while&#8230; but by that point the ransomware had already encrypted so many user files and .sys files\/internals, I&#8217;ve counted it as a fail. <\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Tragically in the safemode packer test the &#8220;Tencent PC Manager&#8221; tries to block the bcdedit safemode modifier commands, but fails and it boots into safemode anyway, becoming victim to the post safemode ransoming of files.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"725\" height=\"932\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-14.png\" alt=\"\" class=\"wp-image-677\" style=\"width:737px;height:auto\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1439\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-13.png\" alt=\"\" class=\"wp-image-659\" style=\"width:740px;height:auto\"\/><\/figure>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Hilariously the Tencent bloat actually runs in safemode, which is bonkers as basically every western AV\/EDR does not work in minimal safemode because it goes against the whole point of minimal safemode&#8230; perhaps it is worse than the ransomware&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1494\" height=\"1135\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/tencentPCMANAGERworksinsafemode.png\" alt=\"\" class=\"wp-image-672\"\/><\/figure>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Even though the AV process(es?) are inappropriately running in safemode, they didn&#8217;t actually stop the ransoming of files. At this point I am wondering if the Tencent Devs making this run in safemode was deliberate or just sloppy programing (obviously deliberate given the necessary adding of processes to run in safemode, but still, I wonder if there was a somewhat plausible reason.)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1922\" height=\"1436\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/image-17.png\" alt=\"\" class=\"wp-image-683\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Pictures of AVs VS Ransomware<\/h4>\n\n\n\n<div style=\"height:14px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Sophos Home Free<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1439\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/sohposSafemodeBypass.png\" alt=\"\" class=\"wp-image-686\"\/><\/figure>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>ESET NOD32<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1440\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/02\/ESETNOD32quagransomwareWORKING.png\" alt=\"\" class=\"wp-image-687\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Microsoft should make it harder to simply use bcdedit to modify configurations and boot into safemode, and AV\/EDR vendors need to have their heuristics blacklist and pickup on binaries exploiting safemode more often.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>I find it particularly strange that any unsigned program can use these safemode modifier bcdedit commands, as my ransomware samples were unsigned. Surely Microsoft should restrict these commands to at least signed programs, or ideally only allow signed programs from either Microsoft verified troubleshooting publishers or Microsoft themselves.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>I would ordinarily share my code for this, but given the topic I will not share my ransomware, packer, or automatic C++ obfuscator code, even though it is unlikely that anyone would want it in the first place \ud83d\ude09 <\/p>\n\n\n\n<div style=\"height:57px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong><em>&#8212; TTA<\/em><\/strong><\/p>\n\n\n\n<div style=\"height:57px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong><em>For questions, collaboration, or to report vulnerabilities, feel free to reach out<\/em><\/strong>:<\/summary>\n<p><strong><em><a>thetrueartisto1@proton.me<\/a><\/em><\/strong><\/p>\n<\/details>\n","protected":false},"excerpt":{"rendered":"<p>Recently when researching different tactics threat actors use to bypass AV (Anti-Virus) engines I discovered this very simple yet effective &#8220;bypass&#8221;. After learning how to build a relatively basic C++ ransomware I was wondering which techniques are likely to succeed in bypassing anti viruses. After building out tools like the usual XOR string encoders, dynamic [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":716,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,17,7,19],"tags":[],"class_list":["post-598","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","category-mal-dev","category-malware","category-windows-internals-2"],"_links":{"self":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=598"}],"version-history":[{"count":95,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/598\/revisions"}],"predecessor-version":[{"id":715,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/598\/revisions\/715"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/media\/716"}],"wp:attachment":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=598"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}