search

Detecting Sysmon on the Victim Host

Exploring ways to detect Sysmon presence on the victim system

hashtag
Processes

attacker@victim
PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
circle-exclamation

Note: process name can be changed during installation

hashtag
Services

circle-exclamation

Note: display names and descriptions can be changed

hashtag
Windows Events

hashtag
Filters

Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - 385201

hashtag
Sysmon Tools + Accepted Eula

hashtag
Sysmon -c

Once symon executable is found, the config file can be checked like so:

hashtag
Config File on the Disk

If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:

hashtag
Get-SysmonConfiguration

A powershell tool by @mattifestation that extracts sysmon rules from the registry:

As an example, looking a bit deeper into the ProcessCreate rules:

We can see the rules almost as they were presented in the sysmon configuration XML file:

A snippet from the actual sysmonconfig-export.xml file:

hashtag
Bypassing Sysmon

Since Get-SysmonConfiguration gives you the ability to see the rules sysmon is monitoring on, you can play around those.

Another way to bypass the sysmon altogether is explored here:

Unloading Sysmon Driverchevron-right

hashtag
References

Operating Offensively Against SysmonShell is Only the Beginningchevron-right
LogoPSSysmonTools/PSSysmonTools/Code/SysmonRuleParser.ps1 at master · mattifestation/PSSysmonToolsGitHubchevron-right
LogoAllocated Filter Altitudes - Windows driversMicrosoftLearnchevron-right
LogoGitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHubchevron-right

PreviousUsing COM to Enumerate Hostname, Username, Domain, Network DrivesNextPrivilege Escalation

Last updated