attacker@victimPS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
Note: process name can be changed during installation
attacker@victimGet-CimInstance win32_service -Filter "Description = 'System Monitor service'"# orGet-Service | where-object {$_.DisplayName -like "*sysm*"}
Note: display names and descriptions can be changed
attacker@victimreg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
attacker@victimPS C:\> fltMC.exe
Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - 385201
attacker@victimls HKCU:\Software\Sysinternals
Once symon executable is found, the config file can be checked like so:
sysmon -c
If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:
attcker@victimfindstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*
A powershell tool by @mattifestation that extracts sysmon rules from the registry:
attacker@victimPS C:\tools> (Get-SysmonConfiguration).Rules
As an example, looking a bit deeper into the ProcessCreate
rules:
attacker@victim(Get-SysmonConfiguration).Rules[0].Rules
We can see the rules almost as they were presented in the sysmon configuration XML file:
A snippet from the actual sysmonconfig-export.xml file:
Since Get-SysmonConfiguration gives you the ability to see the rules sysmon is monitoring on, you can play around those.
Another way to bypass the sysmon altogether is explored here:
​