Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Windows Event IDs and Others for Situational Awareness
Enumerating COM Objects and their Methods
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Dump GAL from OWA
T1010: Application Window Discovery
T1087: Account Discovery & Enumeration
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Detecting Sysmon on the Victim Host
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Detecting Sysmon on the Victim Host

Exploring ways to detect Sysmon presence on the victim system

Processes

attacker@victim
PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

Note: process name can be changed during installation

Services

attacker@victim
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
# or
Get-Service | where-object {$_.DisplayName -like "*sysm*"}

Note: display names and descriptions can be changed

Windows Events

attacker@victim
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

Filters

attacker@victim
PS C:\> fltMC.exe

Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - 385201

Sysmon Tools + Accepted Eula

attacker@victim
ls HKCU:\Software\Sysinternals

Sysmon -c

Once symon executable is found, the config file can be checked like so:

sysmon -c

Config File on the Disk

If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:

attcker@victim
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

Get-SysmonConfiguration

A powershell tool by @mattifestation that extracts sysmon rules from the registry:

attacker@victim
PS C:\tools> (Get-SysmonConfiguration).Rules

As an example, looking a bit deeper into the ProcessCreate rules:

attacker@victim
(Get-SysmonConfiguration).Rules[0].Rules

We can see the rules almost as they were presented in the sysmon configuration XML file:

A snippet from the actual sysmonconfig-export.xml file:

Bypassing Sysmon

Since Get-SysmonConfiguration gives you the ability to see the rules sysmon is monitoring on, you can play around those.

Another way to bypass the sysmon altogether is explored here:

References

​

Previous
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Next - offensive security
Privilege Escalation
Last updated 2 years ago
Contents
Processes
Services
Windows Events
Filters
Sysmon Tools + Accepted Eula
Sysmon -c
Config File on the Disk
Get-SysmonConfiguration
Bypassing Sysmon
References