Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Windows Event IDs and Others for Situational Awareness
Enumerating COM Objects and their Methods
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Dump GAL from OWA
Application Window Discovery
Account Discovery & Enumeration
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Detecting Sysmon on the Victim Host
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Detecting Sysmon on the Victim Host
Exploring ways to detect Sysmon presence on the victim system

[email protected]
PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
Note: process name can be changed during installation

[email protected]
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
# or
Get-Service | where-object {$_.DisplayName -like "*sysm*"}
Note: display names and descriptions can be changed

[email protected]
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

[email protected]
PS C:\> fltMC.exe
Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - 385201

[email protected]
ls HKCU:\Software\Sysinternals

Once symon executable is found, the config file can be checked like so:
sysmon -c

If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:
[email protected]
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

A powershell tool by @mattifestation that extracts sysmon rules from the registry:
[email protected]
PS C:\tools> (Get-SysmonConfiguration).Rules
As an example, looking a bit deeper into the ProcessCreate rules:
[email protected]
(Get-SysmonConfiguration).Rules[0].Rules
We can see the rules almost as they were presented in the sysmon configuration XML file:
A snippet from the actual sysmonconfig-export.xml file:

Since Get-SysmonConfiguration gives you the ability to see the rules sysmon is monitoring on, you can play around those.
Another way to bypass the sysmon altogether is explored here:

Operating Offensively Against Sysmon
Shell is Only the Beginning
PSSysmonTools/SysmonRuleParser.ps1 at master · mattifestation/PSSysmonTools
GitHub
Allocated filter altitudes - Windows drivers
docsmsft
GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
GitHub
​
Previous
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Next - offensive security
Privilege Escalation
Last modified 3yr ago
Copy link
On this page
Processes
Services
Windows Events
Filters
Sysmon Tools + Accepted Eula
Sysmon -c
Config File on the Disk
Get-SysmonConfiguration
Bypassing Sysmon
References