> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host.md).

# Detecting Sysmon on the Victim Host

## Processes

{% code title="attacker\@victim" %}

```csharp
PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
```

{% endcode %}

![](/files/-LOOgheZa0IieeWu1os4)

{% hint style="warning" %}
Note: process name can be changed during installation
{% endhint %}

## Services

{% code title="attacker\@victim" %}

```csharp
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
# or
Get-Service | where-object {$_.DisplayName -like "*sysm*"}
```

{% endcode %}

![](/files/-LOOighsvbnGtFYmGnBi)

{% hint style="warning" %}
Note: display names and descriptions can be changed
{% endhint %}

## Windows Events

{% code title="attacker\@victim" %}

```csharp
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
```

{% endcode %}

![](/files/-LOOjHPWGDSHkbU5Pwvj)

## Filters

{% code title="attacker\@victim" %}

```
PS C:\> fltMC.exe
```

{% endcode %}

Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - `385201`

![](/files/-LOOjlnxkHRyqT6nLFzU)

## Sysmon Tools + Accepted Eula

{% code title="attacker\@victim" %}

```
ls HKCU:\Software\Sysinternals
```

{% endcode %}

![](/files/-LOOkcleCCvSzv-kmWDX)

## Sysmon -c

Once symon executable is found, the config file can be checked like so:

```
sysmon -c
```

![](/files/-LOOvPUPPG3UZl4cGM6z)

## Config File on the Disk

If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:

{% code title="attcker\@victim" %}

```csharp
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*
```

{% endcode %}

![](/files/-LOOyZ8B1S66xdWiTWar)

## Get-SysmonConfiguration

A powershell tool by @mattifestation that extracts sysmon rules from the registry:

{% code title="attacker\@victim" %}

```csharp
PS C:\tools> (Get-SysmonConfiguration).Rules
```

{% endcode %}

![](/files/-LOOoAGwjhaEnNsXljLG)

As an example, looking a bit deeper into the `ProcessCreate` rules:

{% code title="attacker\@victim" %}

```csharp
(Get-SysmonConfiguration).Rules[0].Rules
```

{% endcode %}

We can see the rules almost as they were presented in the sysmon configuration XML file:

![](/files/-LOOoWdDkFIxPk31gLk9)

A snippet from the actual sysmonconfig-export.xml file:

![](/files/-LOOot8jxGW0TSXz4g3b)

## Bypassing Sysmon

Since [Get-SysmonConfiguration](/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host.md#get-sysmonconfiguration) gives you the ability to see the rules sysmon is monitoring on, you can play around those.

Another way to bypass the sysmon altogether is explored here:

{% content-ref url="/pages/-LMEMZmcmnRPz\_5XyjIi" %}
[Unloading Sysmon Driver](/offensive-security/defense-evasion/unloading-sysmon-driver.md)
{% endcontent-ref %}

## References

{% embed url="<https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon>" %}

{% embed url="<https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1>" %}

{% embed url="<https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes>" %}

{% embed url="<https://github.com/GhostPack/Seatbelt>" %}
