Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Windows Event IDs and Others for Situational Awareness
Enumerating COM Objects and their Methods
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Dump GAL from OWA
Application Window Discovery
Account Discovery & Enumeration
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Detecting Sysmon on the Victim Host
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Detecting Sysmon on the Victim Host
Exploring ways to detect Sysmon presence on the victim system

Processes

[email protected]
1
PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
Copied!
Note: process name can be changed during installation

Services

[email protected]
1
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
2
# or
3
Get-Service | where-object {$_.DisplayName -like "*sysm*"}
Copied!
Note: display names and descriptions can be changed

Windows Events

[email protected]
1
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
Copied!

Filters

[email protected]
1
PS C:\> fltMC.exe
Copied!
Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - 385201

Sysmon Tools + Accepted Eula

[email protected]
1
ls HKCU:\Software\Sysinternals
Copied!

Sysmon -c

Once symon executable is found, the config file can be checked like so:
1
sysmon -c
Copied!

Config File on the Disk

If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:
[email protected]
1
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*
Copied!

Get-SysmonConfiguration

A powershell tool by @mattifestation that extracts sysmon rules from the registry:
[email protected]
1
PS C:\tools> (Get-SysmonConfiguration).Rules
Copied!
As an example, looking a bit deeper into the ProcessCreate rules:
[email protected]
1
(Get-SysmonConfiguration).Rules[0].Rules
Copied!
We can see the rules almost as they were presented in the sysmon configuration XML file:
A snippet from the actual sysmonconfig-export.xml file:

Bypassing Sysmon

Since Get-SysmonConfiguration gives you the ability to see the rules sysmon is monitoring on, you can play around those.
Another way to bypass the sysmon altogether is explored here:

References

Operating Offensively Against Sysmon
Shell is Only the Beginning
PSSysmonTools/SysmonRuleParser.ps1 at master · mattifestation/PSSysmonTools
GitHub
Allocated filter altitudes - Windows drivers
docsmsft
GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
GitHub
​
Previous
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Next - offensive security
Privilege Escalation
Last modified 3yr ago
Copy link
Contents
Processes
Services
Windows Events
Filters
Sysmon Tools + Accepted Eula
Sysmon -c
Config File on the Disk
Get-SysmonConfiguration
Bypassing Sysmon
References